Beefy Boxes and Bandwidth Generously Provided by pair Networks
Just another Perl shrine
 
PerlMonks  

CGI + safeguards

by Anonymous Monk
on Feb 20, 2003 at 12:49 UTC ( #237061=perlquestion: print w/ replies, xml ) Need Help??
Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hi monks, I am busying myself with cgi-fun and thought it sensible to add in a few safe-guards so that if nothing is entered into the form, the user gets a polite message, not an internal server error. Anyway, I thought this simple reg-exp would work (below). Can anyone suggest why is might be going wrong. Many thanks.
# snippet from script 1 print qq(<FORM METHOD="post" ACTION="http://localhost/~sm125/cgi-bin/f +rontpage.cgi"><h3>Enter: </h3><INPUT TYPE="TEXT" NAME="box" SIZE="10" +><h3>Enter: </h3><INPUT TYPE="text" NAME="value" SIZE="10"><INPUT TYP +E="SUBMIT" value="go"></FORM>);
second script
# snippet from frontpage.cgi #!/biol/programs/perl/bin/perl -w use strict; use CGI qw(:standard); my $cgi; $cgi = new CGI; use CGI::Carp qw(fatalsToBrowser); my $box = $cgi->param('box'); my $value = $cgi->param('value'); if (($box !~ /\w+/) && ($value !~ /\w+/)) { print "You haven't entered anything on the form"; print STDOUT $cgi->end_html; exit (0); }

Comment on CGI + safeguards
Select or Download Code
Re: (nrd) CGI + safeguards
by newrisedesigns (Curate) on Feb 20, 2003 at 13:02 UTC

    It doesn't look like you are printing out headers. Are you?

    John J Reiser
    newrisedesigns.com

Re: CGI + safeguards
by valdez (Monsignor) on Feb 20, 2003 at 13:02 UTC

    You are testing values of both parameters, just change && with or.

    Ciao, Valerio

Re: CGI + safeguards
by Tomte (Priest) on Feb 20, 2003 at 13:04 UTC

    Talking about safe-guards: you might want to check the -t and -T switches.

    To the regexp:

    • The check-logic is wrong, you want to bail out safely if either of the values is undefined, not both
    • One \w character in the input is enough ATM to match, so but you want to check that the whole value matches only \w-characters
    • that leads to something like
      ($box !~ /^[my allowed characters in a handy class]+$/ || $value !~ /^[my allowed characters in a handy class]+$/

    hth,
    regards,
    tomte


Re: CGI + safeguards
by Joost (Canon) on Feb 20, 2003 at 13:13 UTC
    Can anyone suggest why is might be going wrong.

    if (($box !~ /\w+/) && ($value !~ /\w+/)) { print "You haven't entered anything on the form"; print STDOUT $cgi->end_html; exit (0); }
    Some things are seem strange to me:
    • Your code will complain when someone doesn't enter a 'word' character (that is, [a-zA-Z0-9_] or something similar, depending on locale).

      For instance, when someone enters a "#" character, your code will complain.

      Probably you'll want to change either the message, or the regex, depending on what kind of values are allowed.

    • Your regex will give undefined values warnings when there is no data submitted to the form.

    • print STDOUT $something is equivalent to print $something here.

    • You do not print a HTTP-header, or start the HTML document in the error message: use print $cgi->header, $cgi->start_html("CGI Error"); or something similar.

    • I would put the use CGI::Carp line to the top of the script, so the error handler would be installed ASAP.
    -- Joost downtime n. The period during which a system is error-free and immune from user input.
Re: CGI + safeguards
by jacques (Priest) on Feb 20, 2003 at 13:59 UTC

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://237061]
Approved by newrisedesigns
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others avoiding work at the Monastery: (4)
As of 2014-09-17 02:19 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    How do you remember the number of days in each month?











    Results (56 votes), past polls