Exec script within script or import sub...? help plz

Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

I'm working on a site that has both a public area and a members area. I would like to make it so that a menu appears on both, but some items are available to people logged in as members and not to the public.
I wrote a script that use an include statement in a .shtml file to do this, but I have a few perl scripts that I'm using HTML::Template to return output with that I can't include the script with.

So, my question is:
A) How can I execute a script within a script (and is this a good/bad idea)?
OR
B) Is there a way to have a script in a seperate file, then include it into a file as if it were a sub and execute it?

If I'm not being clear in what I need to do, please let me know and I'll gladly elaborate some more.

Basically I would like to execute a script within a script OR somehow include it into the file, and run it as a sub. Is there a way to do this? And is it a bad idea?

Thx Monks!

Steny

Comment on Exec script within script or import sub...? help plz

Replies are listed 'Best First'.
Re: Exec script within script or import sub...? help plz by hbo (Monk) on Jun 21, 2004 at 03:03 UTC
Of course, with HTML::Template you could do stuff like this: `<SELECT name="whaticando"> <option value="1"> Log off </option> <TMPL_IF name=Unprivileged> <option value="2"> Whistle a tune </option> </TMPL_IF> <TMPL_IF name=Privileged> <option value="3">Blow my horn</option> </TMPL_IF> </SELECT>` [download] Then in the script: `if ($privileged){ $html->param( whaticando => 'Privileged' ); } else { $html->param( whaticando => 'Unprivileged' ); }` [download] This isn't atually a good way to enforce privilege levels. A clever user could post to your script supplying a "3" instead of a "2" for the "whaticando" parameter. You still need to enforce privilege on the server side without reference to what the client gives you. (Other than a cookie, say, which has it's own vulnerabilities similar to the one just given.) But this method let's your presentation vary based on a privilege level. There are probably neater ways to do this than I've shown.	[reply] [d/l] [select]
Re^2: Exec script within script or import sub...? help plz by Stenyj (Beadle) on Jun 21, 2004 at 04:07 UTC
Yeah, thx. I'm being stupid about it all. Just going to adjust how I use html::template. As far as server side enforcing goes... I set a param of a session (using CGI::Session) to record their appropriate access. This should be secure, since they have no way of modifying the contents of a session, only the cookie that identifies which session they own, correct? Thx for the feedback guys. Steny	[reply]
Re^3: Exec script within script or import sub...? help plz by hbo (Monk) on Jun 21, 2004 at 06:27 UTC
Cookies are subject to man-in-the-middle attacks, particularly if you use them in non encrypted communication. CGI::Session uses cookies to keep state between the server and client. The attack isn't easy to do, so it shouldn't be a concern for a low-value target. If you have a high-value target you should be using SSL and keeping the cookie lifetimes short. I'm actually not sure this is true. This is what I imagine could be done by an attacker that can read the wire between the server and client: Read more... (539 Bytes)	[reply]
Re: Exec script within script or import sub...? help plz by tachyon (Chancellor) on Jun 21, 2004 at 01:06 UTC
You sound like you want to build your own module(s). Simple Module Tutorial will show you how to do it. Read more... (855 Bytes)	[reply] [d/l]
Re: Exec script within script or import sub...? help plz by Zaxo (Archbishop) on Jun 21, 2004 at 04:07 UTC
You can vary content using one script, call it index.pl, which is in your private /cgi directory. It can run as the index of both foo.com and foo.com/members by placing the line `DirectoryIndex /cgi/index.pl` in .htaccess of each directory. If your index.pl prints from a template, use a relative path naming index.tmpl and the script will pick up the template which is in the directory it is called from. When in the members area, (assuming you have used one of httpd's auth methods) you will have $ENV{'REMOTE_USER'} defined, which can be used for conditional execution or output. There is no reason you can't conditionally execute (system, open, etc.) or include (do, require) external programs, but it may not be as necessary as you think. After Compline, Zaxo	[reply] [d/l]
Re: Exec script within script or import sub...? help plz by hbo (Monk) on Jun 21, 2004 at 02:36 UTC
do will "do" this. Two files, one named "priv" and one named "unpriv". Their contents: priv: `sub priv { print "Privileged\n"; }` [download] unpriv: `sub priv { print "Unprivileged\n"; }` [download] Now, in your main program, you can: `#!/usr/bin/perl do "unpriv"; priv(); do "priv"; priv();` [download] Which when run: `> perl main Privileged Unprivileged >` [download]	[reply] [d/l] [select]