CGI + safeguards

Hi monks, I am busying myself with cgi-fun and thought it sensible to add in a few safe-guards so that if nothing is entered into the form, the user gets a polite message, not an internal server error. Anyway, I thought this simple reg-exp would work (below). Can anyone suggest why is might be going wrong. Many thanks.

# snippet from script 1
print qq(<FORM METHOD="post" ACTION="http://localhost/~sm125/cgi-bin/f
+rontpage.cgi"><h3>Enter: </h3><INPUT TYPE="TEXT" NAME="box" SIZE="10"
+><h3>Enter: </h3><INPUT TYPE="text" NAME="value" SIZE="10"><INPUT TYP
+E="SUBMIT" value="go"></FORM>);
[download]

second script

# snippet from frontpage.cgi
#!/biol/programs/perl/bin/perl -w

use strict;

use CGI qw(:standard);

my $cgi;

$cgi = new CGI;
use CGI::Carp qw(fatalsToBrowser);

my $box = $cgi->param('box');
my $value = $cgi->param('value');


if (($box !~ /\w+/) && ($value !~ /\w+/))   {

 print "You haven't entered anything on the form";
 print STDOUT  $cgi->end_html;
 exit (0);
}

[download]

Comment on CGI + safeguards Select or Download Code
Re: (nrd) CGI + safeguards by newrisedesigns (Curate) on Feb 20, 2003 at 13:02 UTC
It doesn't look like you are printing out headers. Are you? John J Reiser newrisedesigns.com	[reply]
Re: CGI + safeguards by valdez (Monsignor) on Feb 20, 2003 at 13:02 UTC
You are testing values of both parameters, just change `&&` with `or`. Ciao, Valerio	[reply] [d/l] [select]
Re: CGI + safeguards by Tomte (Priest) on Feb 20, 2003 at 13:04 UTC
Talking about safe-guards: you might want to check the -t and -T switches. To the regexp: The check-logic is wrong, you want to bail out safely if either of the values is undefined, not both One \w character in the input is enough ATM to match, so but you want to check that the whole value matches only \w-characters that leads to something like `($box !~ /^[my allowed characters in a handy class]+$/ \|\| $value !~ /^[my allowed characters in a handy class]+$/` [download] hth, regards, tomte	[reply] [d/l]
Re: CGI + safeguards by Joost (Canon) on Feb 20, 2003 at 13:13 UTC
Can anyone suggest why is might be going wrong. `if (($box !~ /\w+/) && ($value !~ /\w+/)) { print "You haven't entered anything on the form"; print STDOUT $cgi->end_html; exit (0); }` [download] Some things are seem strange to me: Your code will complain when someone doesn't enter a 'word' character (that is, `[a-zA-Z0-9_]` or something similar, depending on locale). For instance, when someone enters a "#" character, your code will complain. Probably you'll want to change either the message, or the regex, depending on what kind of values are allowed. Your regex will give undefined values warnings when there is no data submitted to the form. `print STDOUT $something` is equivalent to `print $something` here. You do not print a HTTP-header, or start the HTML document in the error message: use `print $cgi->header, $cgi->start_html("CGI Error");` or something similar. I would put the use CGI::Carp line to the top of the script, so the error handler would be installed ASAP. `-- Joost downtime n. The period during which a system is error-free and immune from user input.` [download]	[reply] [d/l] [select]
Re: CGI + safeguards by jacques (Priest) on Feb 20, 2003 at 13:59 UTC
You should consider using CGI::Safe	[reply]


XP is just a number
	PerlMonks

CGI + safeguards

The best material for plates (tableware) is: