sub updateTiles { my $fto = $htmDir . 'tile.htm'; ## global var used my $content = ''; open(HOME,$fto); ## no checking for return value, could have redirect or pipe opens while () { $content .= $_ } ## inefficient close(HOME); my $paramTemp,$contentTemp; ## $contentTemp is NOT BEING DECLARED LOCAL (very misleading) my @sections = qw(Tile Pile Link); foreach $section (@sections) { ## no declaration of $section $contentTemp = $query->param($section); ## use of global $query. Why is contentTemp not declared here? if ($section eq 'Pile') { $contentTemp =~ s/[\n\r]/

/g; } if ($section eq 'Link') { $contentTemp = "View this month's tiles." } ## ampersands not entitized, inserted content not entitized or escaped $content =~ s/(.*)/$contentTemp/; ## parens not needed on .*, what if $section has regex chars? } open(HOME,">$fto"); ## no checking return values; what if $fto starts with >? print HOME $content; ## could get IO error. What if visitor hits page while partially written? close(HOME); ## could get IO error. my $image = $query->param('Image'); if ($image ne '') { my $newFile = fileUpload('Image',250000,1,'latest_image','JPEG','.jpg','.jpeg') } ## image might be undef if param not provided. }