suggest a solution to "sanitize" this line of code
$yeardir=$ENV{'QUERY_STRING'}; ... opendir(DIR, "d:/wwwroot/CalvaryBaptist/Sermons/".$yeardir);
Assuming year must be a four-digit number starting with 19, 20 or 21:
$yeardir=$ENV{'QUERY_STRING'}; $yeardir=~/^(19|20|21)[0-9]{2}$/ or die "Bad year\n"; ... opendir(DIR, "d:/wwwroot/CalvaryBaptist/Sermons/".$yeardir);
Note that or die will cause a "500 Internal Server Error" when your script is called with an invalid number. You may want to generate a nicer error page instead:
$yeardir=$ENV{'QUERY_STRING'}; unless ($yeardir=~/^(19|20|21)[0-9]{2}$/) { print "Content-Type: text/plain\r\n\r\n"; print "Bad year."; exit; # <-- important. Don't run into the following code. } ... opendir(DIR, "d:/wwwroot/CalvaryBaptist/Sermons/".$yeardir);
For a more robust solution, don't try to parse the CGI environment by yourself. There are tons of CGI modules on CPAN, CGI was in core for ages, but it is fat and full of legacy code. CGI::Minimal provides the essential parts, skipping generating HTML and much legacy code. CGI::Simple strips generating HTML and moves the functional interface into a separate module CGI::Simple::Standard, but attempts to stay compatible with CGI. CGI::Lite is yet another instance of "CGI without generating HTML". Modules compatible with the CGI API offer a method named param() that allows you to fetch parameter values from the query string.
Also, consider use strict;, use warnings;, enabling taint mode (#!perl -T). Note that taint mode will cause your script to die when you attempt to pass unverified ("tainted") data to critical functions. You need to verify all data. See perlsec.
You may also want to use CGI::Carp for a better error handling and autodie to have automatic error checks for the I/O operations.
Alexander
In reply to Re^3: HTML Template
by afoken
in thread HTML Template
by raptorsoul
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |