taking perl data through web page

[swabs]

I am attempting to pass data from the output of a javascript form into a perl script through a web page. The web page will output the following into a browser:

http://testmachine/test2.pl?input1=2182366414

from a cmd line I can run test.pl input1=2182366414 and the program works succcessfully. But I don't know how to accomodate for the "?" that is passed. If I add the "?" to my regular expression it fails. Any ideas?


#!c:\perl\bin\perl.exe -w
#test2.pl
chomp($output=$ARGV[0]);
$output =~ s/\input1=//;
print "Content-type:text/html\n\n";
print "<html>" ;
system("md c:\\$output");
print "you just created a directory named $output";
#print "Done" ;
print "</html>" ;

 

[fishiface]

That will work from the command line but not once your script is running as a cgi script within a browser. The URL does not get passed as command line arguments to your script - it is processed and made available via the environment.

Please don't be tempted to access it directly - there are so many pitfals, many of which wont be apparent until your script is in production. IMHO the only smart way to write perl CGI scripts is with CGI.pm which is part of the standard distribution and available on most hosting sites.

You get at the query variable like this:

use CGI qw/ :standard /;
my $value = param('input1');

This deal with all encoding variations and a myriad of other possible problems.

Please also note that you should never accept parameters like this and use them directly in operating system commands - it's wide open to abuse by injection atacks. The least you should do is check for dangerous characters and there are so many of these that it's usually best to list the ones you allow.

use CGI qw/ :standard /;
my $value = param('input1');
reject_request() if $tainted !~ /^([\w\-]+)$/; # allow alphnum, _ and - only
$value = $1; # this satisfies perl

Your webserver should run the script in taint mode anyway, in which case you will need to do something like this (as well as cleaning your path and a few other things - check out the perlsecure manual page for info) before it will even run.

Yours,


fish



[&quot;]As soon as we started programming, we found to our surprise that it wasn't as easy to get programs right as we had thought. Debugging had to be discovered. I can remember the exact instant when I realized that a large part of my life from then on was going to be spent in finding mistakes in my own programs.[&quot;]
--Maur

 

[mbrooks]

When doing a system() call from $input be sure to check your input for invalid characters and tainted data.

M. Brooks

http://mbrooks.info

 

[swabs]

fishiface,
Thanks very much for pointing me in the right direction. I agree with your cautions about security. My projects right now are not public-facing web pages and mostly for testing/learning what is possible.

My goal is to be able to log into a web page that is secure and then have the ability to change where a user's phone number is forwarding to by having the web page kick off a perl/cgi script that runs another cmd script to interact with the phone system.

After your help it looks like I have the functionality down. I just need to focus on locking it down.

thanks,
Ben

 

[fishiface]

My pleasure. I find CGI scripting very satisfying and I hope you enjoy your journey.

f

[&quot;]As soon as we started programming, we found to our surprise that it wasn't as easy to get programs right as we had thought. Debugging had to be discovered. I can remember the exact instant when I realized that a large part of my life from then on was going to be spent in finding mistakes in my own programs.[&quot;]
--Maur