(Ovid) Re: Default CGI.pm param() if none provided?

If I understand you correctly, you could apply the following quick fix for a default page:

# The two argument form of param will set the value
param('page','home') if ! defined param('page');
[download]

To ensure that you only have word characters in your param, use the beginning and end of string anchors in your regex:

param('page') =~ /^(\w+)$/
[download]

Hope that's what you were looking for!

Cheers,
Ovid

Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.

Comment on (Ovid) Re: Default CGI.pm param() if none provided? Select or Download Code

Replies are listed 'Best First'.
Re: (Ovid) Re: Default CGI.pm param() if none provided? by chromatic (Archbishop) on Dec 28, 2000 at 04:44 UTC
For the second, I usually prefer this: `my $page = $q->param('page'); if (!(defined($page)) \|\| ($page =~ /\W/)) { $page = 'home'; $q->param('page', $page); }` [download] In CGI parameters, there's not a big speed benefit, but for longer strings it can bail out if it matches one non-word character instead of having to match the whole thing. Another approach is to use transliteration: `if ($page =~ tr/A-Za-z0-9//dc) { $page = 'home'; }` [download] Update: I missed most of the boat here, 'cuz I skipped over the bit where ybiC said "untaint". Different story altogether. Sorry buddy!	[reply] [d/l] [select]
Re: (3) Default CGI.pm param() if none provided? (clarification, success, thanks 8^) by ybiC (Prior) on Dec 28, 2000 at 07:56 UTC
My original post may not have been clear. Logic I'm shooting for goes something like this: untaint via word-characters only if /index.pl?page=illegal_character or if /index.pl?page=nonexistant_urlist send to page=error if /index.pl?page=valid_urlist send to page=requested if URL does not include /index.pl?page=something send to page=home With answers from yourself, Ovid, davorg, and a, I expect I can come up with code that will work. Thanks and ++ to all 8^) Update: Hours past my bedtime and I've got what appears to work. Round o' ++, my treat! 8^D `# (must precede untaint) # Set query param to site home if url is: # / /index.pl /index.pl? /index.pl?page param('page','home') if ! defined param('page'); # Untaint query param if ($query = param('page') =~ /^(\w+)$/) { $urlist = $1; } else { $urlist = 'error'; } # Build array of urlist files opendir DIR, "$confdir/"; my @files = grep { $_ ne '.' && $_ ne '..' && } readdir DIR; closedir DIR; unless (grep{$_ eq $urlist} @files) { $urlist = 'error'; }` [download] cheers, Don striving for Perl Adept (it's pronounced "why-bick")	[reply] [d/l]
Re: (Ovid) Re: Default CGI.pm param() if none provided? by ybiC (Prior) on Dec 28, 2000 at 04:33 UTC
Thanks Ovid. That looks like it should do the trick: 1 - send user to `page=home` if no param supplied with URL, yet provide error if illegal character or nonexistant urlist file. 2 - reject `index.pl?page=aaaa,` as well as `index.pl?page=,aaa` I'll give it a shot. cheers, Don striving for Perl Adept (it's pronounced "why-bick")	[reply]