in reply to Get vs. POST in CGI.pm

As far as I know, you can't use GET with a multipart/form-data type request. Why would you want to upload a file in the query string, anyway?

Use POST for changing state on the server. That includes uploading files.

(Oh, and you might prefer $cgi->upload( 'filename' ), for consistency.)

Replies are listed 'Best First'.
Re: Re: Get vs. POST in CGI.pm
by Anonymous Monk on Sep 22, 2003 at 21:40 UTC

    Hi, thanks for the response.

    It's fair enough to say "Don't use GET for uploads." But the thing is, the error-checking doesn't work if I use POST.

    If I enter "blablabla" into the form and use a POST, the output is "No Die". If I change POST to GET (as shown in the posted code) I get "We Die". I want to avoid processing non-existant files, but can only do so if I use a GET, which doesn't make sense to me.

    In other words: why does CGI.pm permit upload(garbage) to not be undef with a POST, while it does enforce it with a GET?

[reply]
[d/l]
[select]
      "In other words: why does CGI.pm permit upload(garbage) to not be undef with a POST, while it does enforce it with a GET?"

      POST requests include a content body in the request headers, GET requests do not.

      Here's a link that you may find useful Difference between GET and POST.

      LR

      Whip me, Beat me, Make me use Y-ModemG.
[reply]
[d/l]
      How is the error checking not working? It fails when used with a GET. Which it should since it is impossible to upload a file without using POST and multipart/form-data encoding. upload() returns the filehandle or undef if there was a failure.

      Are you saying that upload() always succeeds with POST? What are you trying to cause it to fail? upload does not care about the file name. CGI.pm saves the data in a temporary file. You need to validate the file name if you want; it is accessible through param. 

      my $filename = $cgi->param('filename');
my $fh = $cgi->upload('filename');
my $type = $cgi->uploadInfo($filename)->{Content-Type};

      [download]
[reply]
[d/l]
[select]

        You hit the issue right on:

        Are you saying that upload() always succeeds with POST?

        I tried to make it fail by passing it garbage file names. My understanding was that upload would return undef if it could not create a valid file-handle. And, if the file didn't exist, how could there be a valid file-handle? Instead, though, when I POST upload would return a string containing whatever string I passed in from the HTML form.

        Now, I was able to validate by using either ->{Content-Type} or by using a regex to see if there was a directory trailing (not sure how many OS's do that, so I don't recommend it, but everything I tested did it).

        My question remains, though: why is upload passing me that string instead of undef like the docs seem to say it will?

[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom