Debugging CGI

jorvic has asked for the wisdom of the Perl Monks concerning the following question:

Hello everyone, While continuing work on my cgi script I decided now that I understand more of the DBI and thanks to some kind people in an earlier post have more information on it. I decided to test what I have and see how its working out. While having problems at first I start to read and debug. I have learned a bit about debugging CGI's now. However my script still fails and I'm not sure why. Here is the code

#!/usr/bin/perl -wT
#sub create_forms {
use CGI;
use DBI;

#Debugging info
use diagnostics;
BEGIN {
    $|=1;
    print "Content-type: text/html\n\n";
    use CGI::Carp('fatalsToBrowser');
}
$cgi = new CGI;
$cgi->header;

#DB connection info
my $db = 'DBI:mysql:plist:blah;
my $username = 'blah';
my $pass = 'blah';

my $dbh = DBI->connect($db, $username, $pass,
{ RaiseError => 1 }) or die "Error connecting: $DBI::errstr"; 

my $sql = qq{SELECT `Item Name` FROM Sheet1 WHERE type = ?};
my $sth = $dbh->prepare($sql);

#We make a form with popup menus and populate each list
#with the item names from the DB
$cgi->start_html;
$cgi->start_form;

$sth->execute(Case); 
while($info = $sth->fetchrow_hashref) {
    @case = values %{ $info };
    }
print "Case<p>";
$cgi->popup_menu(-name=>'Case'
        -values=>[@case],
        -onChange=>"javascript:this.form.submit()");

$sth->execute(Motherboards);
while($info = $sth->fetchrow_hashref) {
    @mobo = values %{ $info };
    }
print "MotherBoard<p>";
$cgi->popup_menu(-name=>'mobo'
        -values=>['SOYO','MSI'],
        -onChange=>"javascript:this.form.submit()");

$sth->execute(Processors);
while($info = $sth->fetchrow_hashref) {
    @cpu = values %{ $info };
    }
print "Processor<p>";
$cgi->popup_menu(-name=>'CPU'
        -values=>['AMD','Intel'],
        -onChange=>"javascript:this.form.submit()");

$sth->execute(`Video Cards`);
while($info = $sth->fetchrow_hashref) {
    @vidcard = values %{ $info };
    }
print "Video Card<p>";
$cgi->popup_menu(-name=>'videocard'
        -values=>['nVidia','ATI'],
        -onChange=>"javascript:this.form.submit()");

$sth->execute(RAM);
while($info = $sth->fetchrow_hashref) {
    @ram = values %{ $info };
    }
print "RAM<p>";
$cgi->popup_menu(-name=>'RAM'
        -values=>['1GB DDR','512MB DDR'],
        -onChange=>"javascript:this.form.submit()");

$sth->execute(Modems);
while($info = $sth->fetchrow_hashref) {
    @modem = values %{ $info };
    }
print "Modem<p>";
$cgi->popup_menu(-name=>'modem'
        -values=>['Yay a modem lets wardial','Ack unless you mean cabl
+e keep it away'],
        -onChange=>"javascript:this.form.submit()");

$sth->execute(`Network Internet Cards`);
while($info = $sth->fetchrow_hashref) {
    @nic = values %{ $info };
    }
print "Network Card<p>";
$cgi->popup_menu(-name=>'NIC'
        -values=>['Of course','Hell give me two'],
        -onChange=>"javascript:this.form.submit()");

$sth->execute(`External Sound Devices`);
while($info = $sth->fetchrow_hashref) {
    @speaker = values %{ $info };
    }
print "Speakers<p>";
$cgi->popup_menu(-name=>'speakers'
        -values=>['5.1','I said I dont like sound'],
        -onChange=>"javascript:this.form.submit()");

$sth->execute(`Hard Drives`);
while($info = $sth->fetchrow_hashref) {
    @hdd = values %{ $info };
    }
print "Hard Drive<p>";
$cgi->popup_menu(-name=>'hdd'
        -values=>['40GB','dont need one just give me lots of floppies'
+],
        -onChange=>"javascript:this.form.submit()");

$sth->execute(`3.5 Drive Bay Devices`);
while($info = $sth->fetchrow_hashref) {
    @floppy = values %{ $info };
   }
print "Floppy Drive<p>";
$cgi->popup_menu(-name=>'floppy'
        -values=>['one of those large old ones please','No thanks if i
+t cant boot you guys work on it anyway'],
        -onChange=>"javascript:this.form.submit()");

$sth->execute(`5.25 Drive Bay Devices`);
while($info = $sth->fetchrow_hashref) {
    @cd1 = values %{ $info };
    }
print "Drive Bay 1<p>";
$cgi->popup_menu(-name=>'cd1'
        -values=>['Whats a drive bay? ','Nothing','DVD Burner'],
        -onChange=>"javascript:this.form.submit()");

$sth->execute(`5.25 Drive Bay Devices`);
while($info = $sth->fetchrow_hashref) {
    @cd2 = values %{ $info };
}
print "Drive Bay 2<p>";
$cgi->popup_menu(-name=>'cd2'
        -values=>['nothing in one but i\'ll take something here','Supr
+ise me'],
        -onChange=>"javascript:this.form.submit()");

$sth->execute(Monitors);
while($info = $sth->fetchrow_hashref) {
    @monitor = values %{ $info };
    }
print "Monitor<p>";
$cgi->popup_menu(-name=>'monitor'
        -values=>['17 inch','none'],
        -onChange=>"javascript:this.form.submit()");

$cgi->endform;
print $cgi->end_html;
[download]

When ran from the webserver I get this

Case
MotherBoard

Processor

Content-type: text/html 

Software error:
Insecure $ENV{PATH} while running with -T switch at /home/blah/www/www
+/cgi-bin/trial.pl line 64.

For help, please send mail to the webmaster (admin@blah.com), giving t
+his error message and the time and date of the error.
[download]

This code was just thrown together from other parts I was making to test them out and to play with making the popup menus take the values I pulled from the Database. Also making sure the database connects and that the popup menus are even created. Thank you everyone for any advice that you give all comments (even flames) are welcome

Comment on Debugging CGI Select or Download Code

Replies are listed 'Best First'.
Re: Debugging CGI by dws (Chancellor) on Feb 21, 2004 at 23:35 UTC
You're getting the `Insecure $ENV{PATH}` error because Perl thinks you're trying to execute a shell command from within the script. On first glance, you're not. But on a careful second glance, you're using backticks (`) where you mean to be using single quotes ('). See if you can spot where. When Perl sees backticks in conjunction with -T, it requires that `$ENV{PATH}` be untainted, to prevent exploits whereby someone drops a command of the same name into some place in your PATH that you don't expect it to be.	[reply] [d/l] [select]
Re: Debugging CGI by chromatic (Archbishop) on Feb 22, 2004 at 00:08 UTC
You need to print the return value of almost all CGI methods you call. If you do that, though, you'll notice you're printing two headers. If you use strict at the top, you'll run into a lot of bareword errors, so look at what you're passing to `execute`. You'll also have to declare several variables. Of course, the benefit is that once you fix those errors, you'll have better protection against typos.	[reply] [d/l]
Re: Debugging CGI by Jaap (Curate) on Feb 21, 2004 at 22:50 UTC
This error: Insecure $ENV{PATH} while running with -T switch at /home/blah/www/www Means you have to untaint the path environmetn variable like so: `$ENV{'PATH'} = "";` [download]	[reply] [d/l]
Re: Debugging CGI by vladdrak (Monk) on Feb 22, 2004 at 03:58 UTC
Use the carp, Luke: `use CGI::Carp qw(fatalsToBrowser); local $SIG{__WARN__} = \&Carp::cluck;` [download] ..add that to the top of your script. -Vlad	[reply] [d/l]