(jeffa) Re: HTML::TEMPLATE question

Well, here i am. :D

Let it be said that i am a file upload newbie. I have a written a few, but i tend to find other means for file uploading. That being said, take my advice with a grain of salt (or a whole saltlick).

I really think the problem lies within the file upload form element itself. Consider this code:

use strict;
use CGI;
use HTML::Template;

my $cgi      = CGI->new();
my $data     = do {local $/; <DATA>};
my $template = HTML::Template->new(
 scalarref => \$data,
);

$template->param(
 text1 => 'Text1', 
 file1 => 'File1', 
);

print $cgi->header(), $template->output();

__DATA__
<html>
<head>
<title>uploader</title>
</head>
<body>

<form action="upload.cgi" method="POST" enctype="multipart/form-data">
<input type="text" name="Text1" value="<TMPL_VAR NAME=TEXT1>" size="20
+">
<p>
<input type="file" name="File1" value="<TMPL_VAR NAME=FILE1>" size="20
+">
<p>
<input type="file" name="File2" value="blah blah blah" size="20">
<p>
<input type="submit" name="Go">
</form>

</body>
</html>
[download]

Here i am not using HTML::Template's associate option, instead i am assigning literal values inside param(). I set the first file upload field's value and the text field's value, but the second upload field's value is 'hard-coded' in the HTML itself. When you run this, the text field will indeed start with a pre-defined value, but the upload fields will not. (update - aha it is a security issue, thanks for your insight, theorbtwo).

Alas, i can't find a way to solve your problem. I can suggest breaking the form up - never easy on the coder, but it might be better for the end user if it is large enough. Good luck (very good question!), and feel free to ask more questions (and solve the ones you know the answer to). </code>

jeffa

L-LL-L--L-LL-L--L-LL-L--
-R--R-RR-R--R-RR-R--R-RR
F--F--F--F--F--F--F--F--
(the triplet paradiddle)

Comment on (jeffa) Re: HTML::TEMPLATE question Download Code

Replies are listed 'Best First'.
Re: (jeffa) Re: HTML::TEMPLATE question by theorbtwo (Prior) on Jan 15, 2002 at 21:13 UTC
The upload fields will never start with a predefined value; it's considered a security risk. What if you aranged your form such that an unsuspecting user wouldn't notice the upload form element, and defaulted it to (say), c:\windows\default.pwl? I could have sworn this was part of the offical spec, but I can't find it there. The offical spec recommends validating the default choices if specified, but in pratice, browsers just ignore the defaults. See http://www.w3.org/TR/html401/appendix/notes.html#forms-security. Thanks, James Mastros, Just Another Perl Scribe	[reply]
Re: Re: (jeffa) Re: HTML::TEMPLATE question by daveyboy (Initiate) on Jan 16, 2002 at 02:01 UTC
Thanks for the help! I see what you mean by the security risk. Take care! -= DaveyBoy =-	[reply]
Re: (jeffa) Re: HTML::TEMPLATE question by daveyboy (Initiate) on Jan 16, 2002 at 01:57 UTC
Thanks for your help, jeffa !! -= DaveyBoy =-	[reply]