Re: Hacker Proofing My First Script

Hi awohld;

# Your code
use CGI;

read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
@pairs = split(/&/, $buffer);
foreach $pair (@pairs) {
        ($name, $value) = split(/=/, $pair);
        $value =~ tr/+/ /;
        $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
}
[download]

You're importing "use CGI" but making very little use of it. There's no need for the code above. It can become messy. To get to the individual values from the submission, you can do this:

my $comments = $q->param('comments');
[download]

Someone here (I can't remember who) showed me a way to store the submitted values to a hash:
my %params = map { $_ => $q->param($_) } $q->param; # comments stored in $params{'comments'}
[download]
Thanks to davido!

Comment on Re: Hacker Proofing My First Script Select or Download Code

Replies are listed 'Best First'.
Re^2: Hacker Proofing My First Script by davido (Cardinal) on Sep 30, 2004 at 07:14 UTC
You are absolutely correct that if the OP is planning on parsing CGI form input, a much safer and more reliable way to do so (instead of inventing ones own possibly flawed solution) is to use the CGI module. ...however... Someone here (I can't remember who) showed me a way to store the submitted values to a hash: `my %params = map { $_ => $q->param($_) } $q->param;` [download] Someone's going to be glad you couldn't remember who (s)he was. The POD for CGI is mandatory reading material if you plan to use the CGI module: FETCHING THE PARAMETER LIST AS A HASH: `$params = $q->Vars; print $params->{'address'}; @foo = split("\0",$params->{'foo'}); %params = $q->Vars; use CGI ':cgi-lib'; $params = Vars;` [download] Many people want to fetch the entire parameter list as a hash in which the keys are the names of the CGI parameters, and the values are the parameters' values. The Vars() method does this. Called in a scalar context, it returns the parameter list as a tied hash reference. Changing a key changes the value of the parameter in the underlying CGI parameter list. Called in a list context, it returns the parameter list as an ordinary hash. This allows you to read the contents of the parameter list, but not to change it. The snippet in the POD shows four or five methods. I prefer the `$href = $params->Vars();` most of the time, since it doesn't pass around a copy. Dave	[reply] [d/l] [select]

Replies are listed 'Best First'.

Re^2: Hacker Proofing My First Script
by davido (Cardinal) on Sep 30, 2004 at 07:14 UTC

You are absolutely correct that if the OP is planning on parsing CGI form input, a much safer and more reliable way to do so (instead of inventing ones own possibly flawed solution) is to use the CGI module. ...however...

Someone here (I can't remember who) showed me a way to store the submitted values to a hash:

my %params = map { $_ => $q->param($_) } $q->param;
[download]

Someone's going to be glad you couldn't remember who (s)he was. The POD for CGI is mandatory reading material if you plan to use the CGI module:

FETCHING THE PARAMETER LIST AS A HASH:

$params = $q->Vars; print $params->{'address'}; @foo = split("\0",$params->{'foo'}); %params = $q->Vars; use CGI ':cgi-lib'; $params = Vars;
[download]

Many people want to fetch the entire parameter list as a hash in which the keys are the names of the CGI parameters, and the values are the parameters' values. The Vars() method does this. Called in a scalar context, it returns the parameter list as a tied hash reference. Changing a key changes the value of the parameter in the underlying CGI parameter list. Called in a list context, it returns the parameter list as an ordinary hash. This allows you to read the contents of the parameter list, but not to change it.

The snippet in the POD shows four or five methods. I prefer the $href = $params->Vars(); most of the time, since it doesn't pass around a copy.

Dave

[reply]
[d/l]
[select]