in reply to HTML::Template, CGI - concatenating strings & variables

The obvious error is that you are quoting your variable with single quotes - this never works! Do this instead: 
my $template = HTML::Template->new(
   filename  => $rpt_tmpl,
   associate => $CGI,
);

[download]
Just like you didn't quote $CGI. However, you really should do a little error checking first. Also, don't explicitly print out the content header if you are using CGI.pm: 
print $CGI->header;

[download]
You are much less prone to making mistakes when you let CGI.pm print the header.

jeffa

L-LL-L--L-LL-L--L-LL-L--
-R--R-RR-R--R-RR-R--R-RR
B--B--B--B--B--B--B--B--
H---H---H---H---H---H---
(the triplet paradiddle with high-hat)

Replies are listed 'Best First'.
Re: Re: HTML::Template, CGI - concatenating strings & variables
by Lori713 (Pilgrim) on Nov 17, 2003 at 15:09 UTC
    Well, DUH....    <insert really sheepish, blushing face here>. Ya know, I just looked up the double-quote vs. single-quote usage with variables and missed the one you caught. Thanks!

    What do you mean by "a little error checking first"? Will that help me debug my own code better? I'm all for that!

    P.S. I like the print $CGI->header; line. I'm learning more and more cool things with CGI and HTML::Template. Thanks!

    Lori

[reply]
[d/l]
      In your case, all you really need to do make sure that the id the user submits is valid. 
      my $rpt_id = $CGI->param('rpt_id');

# trim any leading or trailing whitespace
$rpt_id =~ s/^\s*//;
$rpt_id =~ s/\s*$//;

# assuming report id is suppose to only contain digits
unless ($rpt_id =~ /^\d+$/) {
    # handle error - id contains more than digits
}

      [download]
      is just one example of "untainting" your paramaters that are submitted by someone (who could be trying to crack your CGI script). I recommend adding the taint switch to your "shebang" line: 
      #!/usr/local/bin/perl5_8 -T

      [download]
      Since you have already untainted $rpt_id by making it part of $rpt_tmpl like so: 
      my $rpt_tmpl = "cnc1_rpt" . $rpt_id . "_summary.tmpl";

# another way to achieve the same result:
my $rpt_tmpl = "cnc1_rpt@{[$rpt_id]}_summary.tmpl";

# and yet anther way
my $rpt_tmpl = sprintf("cnc1_rpt%d_summary.tmpl", $rpt_id);

      [download]
      you shouldn't have to worry about devious folks getting at other files like you would with the following DANGEROUS code: 
      my $file = $CGI->param('file');
open FH, '<', "$PATH/$file";

      [download]
      Even though you supply the path, the user can still submit something like ../../../etc/passwd ... bad.

      Your code appears safe enough as it is, but ... it's still a good idea to make sure that what you let the user to submit is restricted.

      jeffa

      L-LL-L--L-LL-L--L-LL-L--
-R--R-RR-R--R-RR-R--R-RR
B--B--B--B--B--B--B--B--
H---H---H---H---H---H---
(the triplet paradiddle with high-hat)
[reply]
[d/l]
[select]
        I see what you mean by error checking first. As it turns out, the $rpt_id variable is actually set by the value of the radio button that is clicked; the user doesn't actually do anything but click on the radio button to indicate which report they want.

        I am especially appreciative of your help/comments/suggestions about how to improve my code with regards to security. This is a big concern to me since I'm new at this. I've already received an agreement from our dba's to review my code for security holes after I get my initial draft completed, but it's nice to get the holes filled before showing it to them!

        Thanks!

        Lori

[reply]

In Section Seekers of Perl Wisdom