Category: CGIs
Author/Contact Info Florian "octopus" Forster <octopus@13hackerz.de>
Description: I do a lot of CGI programming and there for I really love using tools like ePerl or emb_perl. But there is one feature in PHP that I always missed in perl/cgi.pm: That all parameters automaticly get assigned to the according variables. (E.g. the variable $name should hold the parameter "name".)
It might be that cgi.pm provides such an function, but I was too lazy to RTFM so I hacked that module. All it does is reading the parameters into the caller's namespace..		 
package import_params;

use CGI ':standard';
use strict;

my @all_params = param ();
my $caller_package = caller;

foreach my $prm (@all_params)
{
        no strict 'refs';

        my (@tmp);
        @tmp = param ($prm);

        if (scalar @tmp == 1)
        {
                ${"${caller_package}::${prm}"} = $tmp[0];
        }
        elsif (scalar @tmp > 1)
        {
                @{"${caller_package}::${prm}"} = @tmp;
        }
# You might want to remove the "elsif" part and
# run the code everytime. Then you have _all_
# parameters in that array. 
}

1;
Replies are listed 'Best First'.
Re: Automatic Parameters for CGIs
by chromatic (Archbishop) on Jan 18, 2001 at 11:10 UTC
    CGI provides the import_names() method, which does nearly the same thing. It takes one argument, the name of the namespace into which to import the variables.

    It also warns that this is a major security risk. If I happen to guess the name of one of your 'normal' variables and pass my own wicked bad parameters to your script, if you import into the main namespace, I can clobber any normal variable I can guess.

    You cannot trust any of your normal variables after that happens. This is not something I recommend (and I seem to recall it's been responsible for a couple of security advisories for PHP, though I don't have a link offhand).

    Use at your own risk.

    Update: chipmunk says I should make it more clear that the security risk is importing variables into a package you're using. That's usually the main package, but any other package that doesn't expect it can be a victim.

[reply]
      Wouldn't some of the lists (like a set of checkboxes with the same name) that take a variable number of arguments wind up sometimes being an array and other times being a scalar? That would suck.

      --
      $you = new YOU;
      honk() if $you->love(perl)

[reply]
        Actually, CGI's import_names() method imports every parameter as a scalar and as an array. The scalar will hold the first value for the parameter; the array will hold all the values, of course.

        The array be safely used in all cases, but the scalar is available for when you know that a parameter should only have a single value. 

        % perl -MCGI -de '$q = new CGI "single=1&multi=1&multi=2";' -e '1;'
 
Loading DB routines from perl5db.pl version 1.0402
Emacs support available.
 
Enter h or `h h' for help.
 
main::(-e:1):   $q = new CGI "single=1&multi=1&multi=2";
  DB<1> n
main::(-e:2):   1;
  DB<1> $q->import_names('Q')
 
  DB<2> V Q
$single = 1
@single = (
   0  1
)
$multi = 1
@multi = (
   0  1
   1  2
)
  DB<3>

        [download]
[reply]
[d/l]

Back to Code Catacombs