Midnite has asked for the wisdom of the Perl Monks concerning the following question:

Hi, I have a script that creates a web page, and I put a send button on it. When the user clicks, it opens another script giving a confirmation message that the message was sent, and I want it to write data that was hopefully sent.

So this is a 2 part question.

First, do I need to prepare my data in any way to get it to send correctly?
Second, How do I retreive it correctly, I am using the $ENV to do it, but it does't work.

Here is the form I create: 

<TITLE>B.O.B. Question Submission</TITLE>
<BODY BGCOLOR=\"#FFFFFF\"><font face=\"Arial\" size=\"3\">
<center><b><h2><font face=\"Comic Sans MS\">Check over data and if inc
+orrect or in need of changes
<br>Click on the BACK button
<br>If correct, click on Send on the bottom of the page</font></H2></b
+></center>
<hr>

<form action="bob_submitq.pl" method="POST">
Date: <b><i>$date</i></b>
<br><hr>
<p>This Question will possibly be for:
<p><b><i>$round_data</i></b>
<hr>

<font face=arial size=8pt>
<TABLE border=0 cellpadding=0>
   <tr>
      <td align=right size=8pt>Submitting Library:</td>
      <td align=left size=8pt> <b><i>$library</i></b></td>
  </tr>
  <tr>
     <td align=right>Submitting Initials:</td>
     <td align=left> <b><i>$initials</i></b></td>
  </TR>
  <tr>
     <td align=right>Category:</td>
     <td align=left> <b><i>$category</i></b></td>
  </TR>
  <tr>
     <td align=right>Type:</td>
     <td align=left> <b><i>$type</i></b></td>
  </tr>
</TABLE>
</font>

<h3>$category Book and Author Info</h3>
<p>$space20<b><i>$book_author</i></b>

<h3>Question and Answers</h3>
<p>$space20 Question: <b><i>$question</i></b>
<p>$space20 $space20 Answer: $round_answer
<p>$space20 Page Number: <b><i>$pagenum</i></b>
<p>$space20 Changes: <b><i>$changes</i></b>

<p>File Name: <b><i>$datefile</i></b>
<p>Data Line: <b><i>$datajoin</i></b>
<p>E-mail list: <b><i>$email_list</i></b>

<p>$errorcat_desc<hr>

<center><input type=submit value=Send name=S1>
</center></form>
</font></body></html>

[download]
The File Name and Data line data is what I want, but I want to make them hidden, it is shown for testing purposes. Here is my second script:
#!/usr/bin/perl -wT

# Created - by Joseph Ruffino 08/13/04

use CGI::Carp qw(fatalsToBrowser);  # Errors are displayed in the web 
+browseer
use CGI qw(:standard :html3);        # For HTML output

######################################################################
+#########
# Load in variables from form
#
my $datefile = $ENV{'datefile'};
my $datajoin = $ENV{'datajoin'};

#open (BOBIN, ">>$datefile") || die "Cannot Open File $datefile for wr
+iting: $!";
#print BOBIN $datajoin;

         my $query = new CGI;

    print $query->header( "text/html" );
    print <<END_WEB;

    <head><TITLE>Question Confirmation</TITLE></head>
    <BODY BGCOLOR=\"#FFFFFF\">
        <center>
            <p>Data File: $datefile
            <p>Data Line: $datajoin
        <b><font face=\"Comic Sans MS\" size=\"5\">
        <p>Your
        <p>Question and Answer
        <p>has been submitted to Youth
        <form action=http://www.gailborden.info/services/bob/rules.htm
+l>
            <p>Click to <input type=submit value=Go name=go> back to Q
+uestion Submiission Form
        </center></form>
        </center></font></body></html>
END_WEB

close(BOBIN);

[download]

Any help would be greatly appreciated. Midnite

Joseph A. Ruffino
Automated Systems Assistant
Gail Borden Public Library District
270 N. Grove Ave
Elgin, Il, 60120
847-742-2411 x5986

janitored by ybiC: Balanced <readmore> tags around longish codeblock, to reduce scrolling in SoPW

Replies are listed 'Best First'.
Re: Sending Data
by Joost (Canon) on Aug 12, 2004 at 17:26 UTC
[reply]
      Actually, I thought I had a good grasp of CGI, I admit, I'm not as good as some people with putting a webpage in my perl script, reading ovid the other day did help me a bit. Also,I have programmed in a lot of languages, and Perl is one I always seem to have trouble with. I guess 3 years of doing this was wasted? Plus. I obviously didn't explain my self.

      The example I gave for the form, wrong word, webpage, is made from another form, all the data is already sent to it. I use a webpage form to get the data, and perl script to process, the data, and another script to write it. I would love to eliminate the 2nd script, but for some reason, all of these tutorials I have read give me no help what so ever.

      All I want to do is to put a send button on the bottom of the webpage, have the user click it, and to write the data and give a confirmation webpage.

      I have everything working good, except for the writing. When I use param, the button click wants to repost the data, and it was only sent there from another form. Does any one know a way I cannot lose any data.

      Is there any way to get an ok, send, I decided to rename it button to work, so I can just check for a yes. I know it is not the way I should do, but there is NO help I can find in these tutorials. I realy don't want to post, I just want ot know if the user is ok with the data.

      I will be happy to send complete html and perl scripts to anyone who wants it.

      Joseph A. Ruffino
      Automated Systems Assistant
      Gail Borden Public Library District
      270 N. Grove Ave
      Elgin, Il, 60120
      847-742-2411 x5986
[reply]
        "I have everything working good, except for the writing. When I use param, the button click wants to repost the data, and it was only sent there from another form. Does any one know a way I cannot lose any data."

        If you use hidden fields you can keep the data on a repost. Just read from the hidden fields.

        Another option, which probably is be overkill, is CGI::Session. You could keep the information as a session variable and pull it out as needed later on.

        Hope it helps.

[reply]
Re: Sending Data
by bgreenlee (Friar) on Aug 12, 2004 at 17:51 UTC

    I think what Joost is saying is that your example has so many things wrong with it that it's probably better for you to read a CGI tutorial than for someone here to try to explain/correct it. I did a little search and this looks like a good start:

    A Tour of HTML Forms and CGI Scripts

    Also, the CGI.pm documentation:

    http://stein.cshl.org/WWW/software/CGI/

    Briefly, though, your two main problems are:
    - no actual form input elements in your HTML page (only data in an <input> element will actually get passed to your CGI)
    - once you get that sorted out, you can read the values of those fields in your script like so:

    $query = new CGI;
my $datefile = $query->param('datefile');
my $datajoin = $query->param('datajoin');

    [download]

    -b

[reply]
[d/l]
      I would add a third - you are not correctly untainting user input. Specifically: 
      open (BOBIN, ">>$datefile") ...

      [download]
      is not a good idea when 'datefile' is extracted from a form field, since this gives users the ability to write to any file on your file system via the classic backwards directory traversal trick (e.g. what if the input was "..\..\etc\passwd" ?). Whether or not the field is "hidden" is irrelevant.

      Equally, echoing user input on your confirmation page verbatim leaves you open to Cross Site Scripting attacks (e.g. what if the input contained <script> ... </script> tags?).

      A recent cautionary tale along these lines can be found here.
[reply]
[d/l]
        Actually, '$datefile' is a filename I make up from the current date. If today is 08/13/04, I name the file 20040813.txt, it has nothing to do with user input, other than it is the date that is submitted.

        Joseph A. Ruffino
        Automated Systems Assistant
        Gail Borden Public Library District
        270 N. Grove Ave
        Elgin, Il, 60120
        847-742-2411 x5986
[reply]
Re: Sending Data
by freddo411 (Chaplain) on Aug 12, 2004 at 18:08 UTC
    Hi, and welcome to the world of perl coding and CGI scripting.

    We all started as n00bies at one point or another. You'll be well served by reading up on basic perl, basic CGI background info, basic posting etiquette, and perlmonk specific posting tools (like readmore tags).

    Defintely work through these exercises. It will help a lot.

    Cheers

    -------------------------------------
    Nothing is too wonderful to be true
    -- Michael Faraday

[reply]
[d/l]

Back to Seekers of Perl Wisdom