Changing a variable to form submitted?

Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

I have a simple FTP upload script that I would like to make a small change to. The script, as it is designed, sets the value of the directory files will be uploaded to within the script. I'd like to change the value so it is defined within the form that is submitting the data. The current relevent code looks like this: Defining the directory location:

$basedir = "/home/sites/so/on/etc/";
[download]

And the code that does the uploads:

use CGI;
$onnum = 1;

while ($onnum != 11) {
my $req = new CGI;
my $file = $req->param("FILE$onnum");
if ($file ne "") {
my $fileName = $file;
$fileName =~ s!^.*(\\|\/)!!;
$newmain = $fileName;
if ($allowall ne "yes") {
if (lc(substr($newmain,length($newmain) - 4,4)) ne $theext){
$filenotgood = "yes";
}
}
if ($filenotgood ne "yes") {
open (OUTFILE, ">$basedir/$fileName");
print "$basedir/$fileName<br>";
while (my $bytesread = read($file, my $buffer, 1024)) {
print OUTFILE $buffer;
}
close (OUTFILE);
}
}
[download]

This works great. So, what I did was make the following change:

$basedir = $FORM{'path'};
[download]

And obviously created a path text field in the form. The script executes, and I do not get any errors in my log file, but the files are also not uploaded. I tried changing the method in the form from Post to Get and that also had no effect. What would I need to do to get this to work...if you need me to post the entire script I can do that as well.

Comment on Changing a variable to form submitted? Select or Download Code

Replies are listed 'Best First'.
Re: Changing a variable to form submitted? by $code or die (Deacon) on Jan 11, 2001 at 22:58 UTC
`$basedir = $req->param("path");` [download] Read CGI.pm documentation about how to read data from a form. WARNING: This is VERY dangerous! You should not have the option to enter a path in the form. If you do this, then you could end up losing data if someone types something bad in the form. This also provides no error checking. I recommend use the -T switch and taint check your data or have a drop down box with numbers 1-10 and then have the $basedir variable set to something specific based on the number.	[reply] [d/l]
Re: Changing a variable to form submitted? by chipmunk (Parson) on Jan 11, 2001 at 22:54 UTC
Do you ever define the %FORM hash? It looks like you're accessing the parameter values with CGI's param() method, so you probably want to set $basedir like this: `$basedir = $req->param('path');` BTW, indenting your code properly will make it much easier to read and maintain.	[reply] [d/l]
Re: Changing a variable to form submitted? by Chady (Priest) on Jan 12, 2001 at 00:43 UTC
All you need to do is use the CGI parameters like this: `$uploadPath = $req->param("path");` [download] although I do not recommend it.. just make your own world writable directory to which people can upload... or else they can upload malicious files to your root path... you know the rest... Chady \| http:/chady.net/	[reply] [d/l]