Beefy Boxes and Bandwidth Generously Provided by pair Networks
Do you know where your variables are?
 
PerlMonks  

passing data to other script via link

by kasmot (Novice)
on Jun 08, 2004 at 02:21 UTC ( #362187=perlquestion: print w/replies, xml ) Need Help??

kasmot has asked for the wisdom of the Perl Monks concerning the following question:

Im trying to pass my data from one perl script to another via link : <a href=navigate.pl?$pagectr|$query>$pagectr</a> $query is my search query and I want it to be passed and be used by the other script. But I wasnt able to do so because it only passes the first part of the string and terminates right after the space. heres an example: $query = SELECT * FROM sqrequest WHERE id != 0 ORDER BY date, time .. but when i pass it, only "SELECT" is being captured. Im planning to change all the spaces into any char but I dont know how. Is there a way for me to make it work, or is there a better way of doing this. Any help is deeply appreciated. Thanks in advance

Replies are listed 'Best First'.
Re: passing data to other script via link
by chromatic (Archbishop) on Jun 08, 2004 at 02:56 UTC

    To encode data in a URL, you can call CGI::escapeHTML() directly use URI::Escape.

    However, consider if I edited the link to encode the query DELETE FROM sqrequest WHERE 1 = 1. You might want to reconsider passing raw SQL queries where users can change them.

    Update: What calin says is what I meant, very different from what I wrote.

      To encode data in a URL, you can call CGI::escapeHTML() directly.

      URL escaping is different from HTML escaping. I think the OP needs a module like URI::Escape. Observe the following code:

      $ perl use CGI; use URI::Escape; my $orig = q{a9: _-;&<tag>'"}; printf "HTML escaped: %s\n", CGI->escapeHTML($orig); printf "URL escaped: %s\n", uri_escape($orig); ^D HTML escaped: a9: _-;&amp;&lt;tag&gt;'&quot; URL escaped: a9%3A%20_-%3B%26%3Ctag%3E'%22

      Most mainstream browser can recover from common broken (unescaped) urls - space seem to be the most common. But rfc2396 is clear in this regard:

      2.4.3. Excluded US-ASCII Characters Although they are disallowed within the URI syntax, we include here + a description of those US-ASCII characters that have been excluded an +d the reasons for their exclusion. <SNIP> The space character is excluded because significant spaces may disappear and insignificant spaces may be introduced when URI are transcribed or typeset or subjected to the treatment of word- processing programs. Whitespace is also used to delimit URI in man +y contexts. space = <US-ASCII coded character 20 hexadecimal> <SNIP> Data corresponding to excluded characters must be escaped in order +to be properly represented within a URI.

      Named entities (like those generated by escapeHTML) are simply names for characters and do not represent URL escaping.

      Test HTML snippet:

      <a href="http://google.com/search?q=super search">unescaped space</a> <a href="http://google.com/search?q=super%20search">escaped space</a> <a href="http://google.com/search?q=super&amp;search">entity amp</a> <a href="http://google.com/search?q=super%26search">url-escaped amp</a +>

      Attn. OP: Passing SQL statements this way is a security hole.

      Thanks for the quick reply. I see you points. Is there a way to hide the extra parameters that we are sending through a link?

        You can use hidden fields, but that only hides things; it makes it only a little bit more difficult for a mischief maker to do bad things. A better solution is to encode the database query logic in a module or run state somewhere in the code, where users can't access it and you're not sending it to the client and trusting it to come back safely. CGI::Application is one good approach.

Re: passing data to other script via link
by arthas (Hermit) on Jun 08, 2004 at 08:18 UTC

    Don't pass the SQL queries that way, it's dangerous (as someone else already pointed out).

    I would suggest you call your script with something like this:

    navigate.pl?task=dsp

    And, in your program you can have:

    my $q = new CGI; SWTC: { $q->param('task') eq 'dsp' and do { dsp() last SWTC; }; $q->param('task') eq 'other' and do { other() last SWTC; }; };

    You can then keep all the queries in the subs.

    Hope this helps!

    Michele.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://362187]
Approved by sgifford
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others romping around the Monastery: (4)
As of 2022-10-06 04:19 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    My preferred way to holiday/vacation is:











    Results (26 votes). Check out past polls.

    Notices?