(Ovid) Re: Stuck

Update: ctweten pointed out that your URL is definitely legal. Thanks!

To be honest, I'm not sure that you're URL is legal. Try a url like the following:

http://lezar.org/path/to/script/myscript?where=someval
[download]

/path/to/script/myscript should be the path and name of your script. where=somval is a name value pair that gets passed to the query string.

Then, use CGI to get the name/value pairs. You also shoudl use taint checking (that's the -T switch on the shebang line) and use strict to catch all sorts of problems. Here's an updated version of what you want to do:

#!/usr/bin/perl -wT
use strict;
use CGI qw/:standard/;

my $taintedWhere = param( 'where' );
my $where = ( $taintedWhere =~ /(\w+)/ );

if ( $where eq 'Front' ) {
    print header;
    print <<"    Mn";
    
    Some HTML

    Mn
} elsif ( $where eq 'WebMail' ) {
    print header;
    print <<"    WbMl";

    Some more HTML

    WbMl
} else {
    # $where is not what we expect, so we have an error routine here;
}
[download]

See perlsec for information on the security issues and you can also check out my online CGI course for further information. It's not complete, but it should give you a good start.

For easier debugging, try adding the following line to your script:

use CGI::Carp qw( fatalsToBrowser );
[download]

That will usually print useful debugging information to the browser. Just make sure that you remove this when you put the script on a production server! There's no sense proving crackers with additional information about how your script works.

Cheers,
Ovid

Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.

Comment on (Ovid) Re: Stuck Select or Download Code

Replies are listed 'Best First'.
Re: (Ovid) Re: Stuck by Fastolfe (Vicar) on Dec 16, 2000 at 06:02 UTC
Just out of curiosity, why are you worried about un-tainting `$where` if you're just using it for comparisons and no system operations? Or is this just a safety net in the event the original poster does wish to use `$where` in a risky way?	[reply] [d/l] [select]
(Ovid - why untaint when you don't need to) Re(3): Stuck by Ovid (Cardinal) on Dec 16, 2000 at 09:37 UTC
That's a good question and it's just indicative of paranoia on my part. I tend to untaint data regardless of how it's going to be used at the present time. I don't know who will be maintaining my work in the future and what they're going to be doing with it, so rather than take any chances, I'd like to cover that up front. It's the same reason I turned on taint checking when it's not needed -- I never know who will use this script in the future. Good question, though. It's a matter of style. I just prefer to be ultra paranoid -- after all, they're watching me ;) Cheers, Ovid Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.	[reply]
Re: (Ovid) Re: Stuck by cwest (Friar) on Dec 16, 2000 at 01:49 UTC
FYI, that URL is most deffinitley legal. OTOH, I like your code much better. -- Casey I am a superhero.	[reply] [d/l]