allowing form uploading

http://www.perlmonks.org?node_id=205424

sulfericacid has asked for the wisdom of the Perl Monks concerning the following question:

This node falls below the community's threshold of quality. You may see it by logging in.

Comment on allowing form uploading Select or Download Code

Replies are listed 'Best First'.
Re: allowing form uploading by George_Sherston (Vicar) on Oct 15, 2002 at 17:33 UTC
I can understand your reluctance to use modules or, for example, scripts written by others - understand, but not condone. It really is worth making the effort to get up the learning curve so you can do this. I speak as one who wasted time and effort not doing this for a long time. The fab thing about Perl is that for most of the things you want to do, someone else has already thought through the problem and written stuff to help you do it better. CPAN is your friend, and worth geting to know. You say your webhost doesn't allow you to use non-standard modules. Please don't let this stand in your way. Most of the modules you will want are standard by now. Or, on the other hand, there are many free or cheap webhosts that let you do what you want (for example install your own choice of modules) - cubesoft in the us or uklinux in uk are good. Finally, I encourage you not to be touchy about a vigorous critique of your code. Would you rather people sugar-coated it and didn't tell you what was really wrong? Anyway, a good beasting from merlyn as well as being good for the soul is very much a rite of passage around here. It's not personal. § George Sherston PS in answer to your substantive question I wouldn't dream of doing this without a module. Mail::Sendmail handles attachments, though not in a very memory-friendly way. See this faq for more. Then you'll need a form field in your original form, and you'll need to use CGI.pm to help you manage processing the form once uploaded. NB that you will want your form to be a multipart encoded form - if you're generating your form from CGI.pm, you can set this up using the `start_multipart_form()` method. Forty-five minutes reading the docs on CGI and Mail::Sendmail will be time well spent. Enjoy! And please come back here with any problems you encounter.	[reply] [d/l]
Re: allowing form uploading by swiftone (Curate) on Oct 15, 2002 at 18:37 UTC
Judging from your code, you appear to be running on http://www.hypermart.net. On their site they say they have Mailtools and Mime-Tools installed for paid users. MIME::Lite is included therin, and should take care of everything you need, and if not, those packages include more advanced tools. (I haven't used Mail::Sendmail recommended by others, but Mail::Mailer is included in Mail-tools and has gotten very good comments from others on this site. All the comments mentioned here (and those in reply to you previously at Dangers of rolling your own mail script) apply, so I recommend using one of those modules, particularly for something as sticky as attachments.	[reply]
Re: allowing form uploading by charnos (Friar) on Oct 15, 2002 at 18:12 UTC
Firstly, in answer to your question, I agree with George_Sherston. Installing Mail::Sendmail seems like the way to go. I don't believe it's a standard module, but it appears to be a pure Perl module, so you should be able to download it from CPAN (see above link), upload it to your home directory, and add something like `use lib "$ENV{HOME}"; use Mail::Sendmail;` [download] to your script (after configuring it). Secondly, you may not have deserved the severity of the browbeating you received, but you deserved some of it. I don't mean to fan the flames, but surely you must concede that asking a benevolent group of software professionals to help you write code that is truly very dangerous and deleterious to yourself, the Perl community, and the Internet itself. Sure, it may be only for a few users to abuse (before being shutdown), but it comes down to what you were told as a kid by your parents: "What if everyone threw their trash on the ground?" You can see that already there's a lot of insecurity over the web, and fostering one more leak is just out of the question. I think that merlyn thought that you were knowingly writing this hole to abuse yourself, though it appears to me that this is not true, though I can certainly see why he thought that (I did too until I read this post). Realize it was not necessarily the content of the code that was being attacked, it was the security. This is the best I can do and would prefer not being mocked. If you open yourself to suggestion (but not attack) from others, this doesn't have to be so. "Experience is a dear teacher, but fools will learn at no other." - Poor Richard's Almanac (Ok, so I stole that from The Mythical Man-Month ;) ) Update: upon inspecting this, I don't think I made my own gut reaction to this code clear. I second merlyn's sentiment: Please do not deploy this code. It's great that you learned from writing real-world code, it really is, but this is not an Internet-ready email application, and shouldn't be deployed as one.	[reply] [d/l]
•Re: allowing form uploading by merlyn (Sage) on Oct 15, 2002 at 18:45 UTC
This code is still insecure. It allows the abuse of your server to send arbitrary mail to arbitrary addresses (minus a little boilerplate). The original suspect will not be traceable, but your server will get the brunt (rightfully so) of being an accessory to the crime. Please do not deploy this code. Please. -- Randal L. Schwartz, Perl hacker	[reply]
Re: allowing form uploading by sulfericacid (Deacon) on Oct 15, 2002 at 16:49 UTC
Ugh, I meant to say I want the users to be able to send attachments via this script, sorry.	[reply]
A reply falls below the community's threshold of quality. You may see it by logging in.

Back to Seekers of Perl Wisdom