Re: File Upload - AND hidden values

Replies are listed 'Best First'.
Re: Re: File Upload - AND hidden values by Anonymous Monk on Jul 05, 2001 at 12:42 UTC
Hi, Its me again, the guy with the original problem. Right, heres the code I use so far for JUST uploading a file. It does not use CGI.pm. I wanted all the code on one page so I could see how it worked using my own variable names, etc. Here it is: #!/usr/bin/perl print "Content-type: text/html\n\n"; #SET MAXIMUM FILE SIZE ################################################# $maxfilesize = 30508; # 30.2kb #CHECK FILE SIZE ################################################# $len = $ENV{'CONTENT_LENGTH'}; if ($len > $maxfilesize) { print "file is bigger than 30.2kb, sorry\n"; exit; } #SET PATH VARIABLES ################################################ $\| = 1; $upath = "/absolute/path/to/upload/dir/"; $uindex = "/absolute/path/to/upload/dir/upload.index"; $tempfile = $upath . $ENV{'REMOTE_ADDR'}; #READ IN BUFFER AND WRITE TO TEMP FILE ################################################ read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'}); open (x,">$tempfile"); print x $buffer; close (x); #OPEN TEMP FILE AND PROCESS IT ################################################ open (temp,$tempfile); #PULL OUT MIME/MULTIPART ################################################ $_ = <temp>; ($vernum) = /(\d+)/; # Next line of the file contains the filename in the format: # filename="C:\windows\win.ini" # KEEP ONLY PART WITHIN QUOTES ################################################ $_ = <temp>; $filetemp = $1 if (/filename=\"(.*)\"/); #REMOVE FULL PATH NAME ################################################ @pathz = (split(/\\/,$filetemp)); $filetempb = $pathz[$#pathz]; @pathza = (split('/',$filetempb)); $filename = $pathza[$#pathza]; #IF FILENAME IS BLANK, SHOW ERROR MESSAGE ############################################### if ($filename eq "") {<br> print "Oops, the you did not give a valid file name\n\n"; close(temp); `rm $tempfile`; } #CREATE FILE IN UPLOAD DIR ############################################### open (outfile, ">$upath$filename"); # Now we don't care about the Content-type of this, so<br> we'll pass +that up $junk = <temp>; $junk = <temp>; #READ/WRITE ALL APART FROM MIME/MULTIPART BIT ############################################## while (<temp>) { if (!(/-{28,29}$vernum/)) { print outfile $_; } } #ALL DONE, CLOSE AND PRINT SUCCESS MSG ############################################## close (temp); close (outfile); `rm $tempfile`; print "Your file <i>$filename</i> has been successfully<br> transferre +d to this site.<br>\n"; exit; [download] So theres the code, anyone know how I can pass through 3 VARIABLES too?. I do need the variables for security but at this stage the user has already logged in. I just like to constantly pass throught a username and password so that the .cgi script cant be accessed on its own without going through the login. Im pretty new to all this so I really am sorry if I sound like a gimp. lol Really appreciate more help on this, thanks for all the replies everyone, Ill make sure I put you on the Thanks Page. :)	[reply] [d/l]
Re: Re: Re: File Upload - AND hidden values by RatArsed (Monk) on Jul 05, 2001 at 16:47 UTC
You'd be wanting to use CGI.pm, no really, you would. You'd also want to be using warnings, strict and taint checking, particularly as you seem to trust the filename provided... Have you considered getting a user account at perlmonks? it'd tell you about responses to questions when you log in then... -- RatArsed	[reply]
Re: Re: Re: File Upload - AND hidden values by voyager (Friar) on Jul 05, 2001 at 18:19 UTC
I've only used CGI.pm to parse query parms. But if you insist on doing it yourself, I think the hidden fields are going to be field=value pairs in STDIN that you apparently assume is just the uploaded file. Since you are writing everything to a temp file, take a look in there and see if you can find references to the hidden fields. HTH	[reply]