basic PERL question....

Hi,

Im trying to create a script that;

(i) creates a .htm page based on form input and saves it in directory. The filename is based on the form input

then

(ii) prints a frameset with the above .htm, and another static html file.

check out the code...ive tried to cut out the superflous stuff


#!/usr/bin/perl

require "cgi-lib.pl";

&ReadParse(*input);

$uname= $input{'handle'};
$pass= $input{'password'};
$file = "http://www.whatever.org/$uname.htm" ##problem area?????



# open/create $file

open(FILE, ">$file");
print <<X;

[html stuff]

X
close(FILE);


#redirect to frames

print <<END;

<html><head><title>test page</title></head>

<frameset rows="80%,20%">
<frame name="one" src="http://whatever.com">
<frame name="two" src="$file">
</frameset>
</html>
END


any input would be appreciated......i know this is pretty basic


thanks

Hey there!

Hmm. Here's a few things-

cgi-lib.pl was crusty back in 1996. It's a really, really poor thing to develop around. You should use the modern, well-documented and super-powerful CGI.pm, which is basically the standard for perl CGI scripting. If a book recommended that you use cgi-lib.pl, you should throw that book out, it's either too old or written by the clue-impaired.

Basing filenames strictly on info that a user enters into a form is VERY insecure- what if a user enters "../../cgi-bin/yourscript.pl"? Your script would destroy itself, because it would be writing over itself. You need to "untaint" the data sent from the user with a regular expression.

Learning to code perl by writing CGI scripts is kind of a difficult way to go about it- frequently, CGI scripts are being used in an environment where there is always a potential for attacks. I suggest you start by getting the O'Reilly "Learning Perl" books, and then moving on to "CGI Programming with Perl" by the same publisher. Most other CGI books suck, and are written by newbies with a little bit of knowledge who are just trying to sell books.

A really good CGI tutorial, written by a coder with a good understanding of perl and security is at the URL below.

http://www.easystreet.com/~ovid/cgi_course/

Dan,

what the hell would i do without you?

Its not for the site...just fooling around with a script for learning purposes.

I figure;

$file = "http://www.whatever.org/$uname.htm"

makes PERL look for a variable $uname.htm instead of a file ($uname).htm.

so, concatenation? this is where im stuck.


I appreciate the security/cgi-lib stuff......but now my curiosity is aroused.

anyone?

The major problem with your script, besides the stuff I mentioned already, is that you're trying to open "http://www.whatever.org/$uname.htm" as a local file, and then write to it.

This ain't going to work. Files on your filesystem are addressed like local files- e.g., on linux machines "/path/to/directory/$filename", not as URLs.

On the concatenation question- Your corrected filename might look something like:



note the different way of creating the string. Fine to play with this, but for gods sake take it off your server when you're done.

Oh, and when a variable is put into double-quotes with perl, it is interpreted, when you put it in single-quotes it isn't.


output would be bar bar bar

output would be $poo $poo $poo

In the future, I'd just post all perl questions, including total newbie ones, into the perl forum.