Default CGI.pm param() if none provided?

ybiC has asked for the wisdom of the Perl Monks concerning the following question:

The following code is part of a CGI.pm and HTML::Template script I'm working on. It receives and untaints browser-supplied CGI param, then compares with directory listing of URLlist files, and serves content accordingly. Amazingly enough, it actually works. {grin}

Two questions:
1 - How to add site home (index.pl?page=home) as the default if *no* param given, but still fail if *bad* param given?
2 - Untainting regexp that will reject if non-word character anywhere in provided param, not just if non-word char is first character.

All suggestions welcome and appreciated.
    cheers,
    Don
    striving for Perl Adept
    (it's pronounced "why-bick")

# Read in URL file query and untaint
# one or more word characters
if ($query = param('page') =~ /(\w+)/) {
    $urlist = $1;
    }
else {die "Please request pages by alphanumeric name only.
    You might find what you're looking for by starting at site
    home of http://host.dom/index.pl?page=home\n";
    }


# Build array of urlist files
# Confirm that supplied param is valid file
opendir DIR, "$confdir/";
my @files = grep {
    $_ ne '.' &&
    $_ ne '..' &&
    }
readdir DIR;
closedir DIR;
unless (grep{$_ eq $urlist} @files) {
    die "You requested a page that does not exist.
    You might find what you're looking for by starting at site
    home of http://host.dom/index.pl?page=home\n";
    }


# read lists of page URLs from external file
# loop through lists, parsing for HTML::Template use
unless (my $return = do "$confdir/$urlist") {
    die "Cannot parse $urlist: $@" if $@;
    die "Cannot do $urlist: $!"    unless defined $return;
    die "Cannot run $urlist"       unless $return;
    }
for (my $i = 0; $i < $#url_array; $i+=2) {
    my($loop, $aref) = @url_array[$i, $i+1];
    my @vars;
    for (my $j = 0; $j < $#{$aref}; $j+=2) {
        my($name, $url) = @{$aref}[$j, $j+1];
        push @vars, { name => $name, url => $url };
        }
    $template->param($loop, [ @vars ]);
    }
[download]

Comment on Default CGI.pm param() if none provided? Download Code

Replies are listed 'Best First'.
(Ovid) Re: Default CGI.pm param() if none provided? by Ovid (Cardinal) on Dec 28, 2000 at 04:22 UTC
If I understand you correctly, you could apply the following quick fix for a default page: `# The two argument form of param will set the value param('page','home') if ! defined param('page');` [download] To ensure that you only have word characters in your param, use the beginning and end of string anchors in your regex: `param('page') =~ /^(\w+)$/` [download] Hope that's what you were looking for! Cheers, Ovid Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.	[reply] [d/l] [select]
Re: (Ovid) Re: Default CGI.pm param() if none provided? by chromatic (Archbishop) on Dec 28, 2000 at 04:44 UTC
For the second, I usually prefer this: `my $page = $q->param('page'); if (!(defined($page)) \|\| ($page =~ /\W/)) { $page = 'home'; $q->param('page', $page); }` [download] In CGI parameters, there's not a big speed benefit, but for longer strings it can bail out if it matches one non-word character instead of having to match the whole thing. Another approach is to use transliteration: `if ($page =~ tr/A-Za-z0-9//dc) { $page = 'home'; }` [download] Update: I missed most of the boat here, 'cuz I skipped over the bit where ybiC said "untaint". Different story altogether. Sorry buddy!	[reply] [d/l] [select]
Re: (3) Default CGI.pm param() if none provided? (clarification, success, thanks 8^) by ybiC (Prior) on Dec 28, 2000 at 07:56 UTC
My original post may not have been clear. Logic I'm shooting for goes something like this: untaint via word-characters only if /index.pl?page=illegal_character or if /index.pl?page=nonexistant_urlist send to page=error if /index.pl?page=valid_urlist send to page=requested if URL does not include /index.pl?page=something send to page=home With answers from yourself, Ovid, davorg, and a, I expect I can come up with code that will work. Thanks and ++ to all 8^) Update: Hours past my bedtime and I've got what appears to work. Round o' ++, my treat! 8^D `# (must precede untaint) # Set query param to site home if url is: # / /index.pl /index.pl? /index.pl?page param('page','home') if ! defined param('page'); # Untaint query param if ($query = param('page') =~ /^(\w+)$/) { $urlist = $1; } else { $urlist = 'error'; } # Build array of urlist files opendir DIR, "$confdir/"; my @files = grep { $_ ne '.' && $_ ne '..' && } readdir DIR; closedir DIR; unless (grep{$_ eq $urlist} @files) { $urlist = 'error'; }` [download] cheers, Don striving for Perl Adept (it's pronounced "why-bick")	[reply] [d/l]
Re: (Ovid) Re: Default CGI.pm param() if none provided? by ybiC (Prior) on Dec 28, 2000 at 04:33 UTC
Thanks Ovid. That looks like it should do the trick: 1 - send user to `page=home` if no param supplied with URL, yet provide error if illegal character or nonexistant urlist file. 2 - reject `index.pl?page=aaaa,` as well as `index.pl?page=,aaa` I'll give it a shot. cheers, Don striving for Perl Adept (it's pronounced "why-bick")	[reply]
Re: Default CGI.pm param() if none provided? by davorg (Chancellor) on Dec 28, 2000 at 04:20 UTC
Two answers: 1/ My CGI programs are full of code like: `my $thing = param('thing') \|\| 'default_thing';` [download] 2/ It looks to me that your regex already does what you want. It will return the first string of \w characters that it finds. -- <http://www.dave.org.uk> "Perl makes the fun jobs fun and the boring jobs bearable" - me	[reply] [d/l]
Re: Default CGI.pm param() if none provided? by a (Friar) on Dec 28, 2000 at 10:00 UTC
Might: `opendir DIR, "$confdir/"; my @files = grep { $_ ne '.' && $_ ne '..' && } readdir DIR; closedir DIR; unless (grep{$_ eq $urlist} @files) { die "You requested a page that does not exist. You might find what you're looking for by starting at site home of http://host.dom/index.pl?page=home\n"; }` [download] be 'quicker' as: unless ( -s "$confdir/$urlist" ) I guess, maybe you're getting an actual 'list' in $urlist, though w/ the \w, not sure how. a	[reply] [d/l]