#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2016
    Posts
    2
    Rep Power
    0

    cannot open dynamic fileNAME for writing


    How do I open a file where $dataFILE is input from an HTML form? I am continually getting error 500.
    I have done quite a bit of research and all examples and explanations have a known file that is being opened instead of a file based on form data.

    I can
    open(FILE, "data/$dataFILE.txt");
    to read, where $dataFILE is input from an html link.

    What I cannot do is
    open(FILE, ">data/$dataFILE.txt");
    print FILE "this is a test\n";
    close(FILE);
    to create a file where the file name is input from an html form and then write to it.

    I can
    open(FILE, ">data/$datafile.txt");
    print FILE "this is a test\n";
    close(FILE);
    on accident (forgot to capitalize 'FILE'), where $datafile has no value. In this case, .txt is created and I can write to it.

    Any help would be appreciated!
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2016
    Posts
    2
    Rep Power
    0
    I still would like some help but let me shed some light on what I have done after a few hours sleep.
    My code looked like:
    Code:
    #!/usr/bin/perl -wT  # not sure what is going on here, reminds me of days long ago
    use CGI qw/:standard/;  # same as above
    
    my $dataFILE = param('dataFILE');  # different than what I have done in the past
    # but assigning value from html post
    .
    .
    .
    open(FILE, ">data/$dataFILE.txt");  # opens file to write (file name comes from
    # html)
    print FILE "something to print\n";
    print FILE "something else to print\n";
    .
    .
    .
    print FILE "last thing to print\n";
    close(FILE);
    Problem is that the value passed on to $dataFILE is not used and an error 500 occurs.
    I had done something like this in the past so I decided to go old school, but if anyone can explain the new way to do things I would be happy to learn.
    New Code - that works!!!
    Code:
    #!/usr/bin/perl
    use CGI qw/:standard/;
    push(@INC, "/cgi-bin");
    require("cgi-lib.pl");
    
    &ReadParse(*input);
    
    $dataFILE = $input{'dataFILE'};
    .
    .
    .
    open(FILE, ">data/$dataFILE.txt");  
    print FILE "something to print\n";
    print FILE "something else to print\n";
    .
    .
    .
    print FILE "last thing to print\n";
    close(FILE);
    Again, would appreciate it if someone could tell me the new or better way to do it.
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Apr 2009
    Posts
    2,232
    Rep Power
    1296
    The -T option enables taint mode with does not allow you to do unsafe things with user input, which is what you're doing when opening that filehandle. Opening a file in write mode without untainting the input data will throw an error, which you are not checking. Going back to the "old school" method is really bad (unsafe) and should not be done. Even using the CGI module is now considered obsolete and it's use is discouraged when developing new web apps. It's better to learn one of the newer frameworks such as Dancer, or Mojolicious.

    Going back to your script using the CGI module, you should add a couple additional modules (pragmas) which should be included in every script you write. Your scripts should begin like this:
    Code:
    #!/uer/bin/perl -T
    
    use strict;
    use warnings;
    use CGI qw(:standard);
    use CGI::Carp qw(fatalsToBrowser);
    The CGI::Carp module should be used while developing/debugging the script but removed when the script is used in production. Instead of just getting a "500" error it will take the more descriptive error message from the web server error log and display it to the user. That's what you want when developing, but it gives the general user backend details which they should not have.

    Untainting Data
    Last edited by FishMonger; September 19th, 2016 at 12:52 PM.
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Apr 2009
    Posts
    2,232
    Rep Power
    1296
    Also, your open call needs to be reworked. 1) You should be using a lexical var for the filehandle. 2) you should use the 3 arg form of open. 3) You should check the return code to make sure it was successful and take proper action if it wasn't.
    Code:
    open(my $FH, '>', "data/$dataFILE") or die "failed to create 'data/$dataFILE' because: <$!>";
  8. #5
  9. Banned ;)
    Devshed Supreme Being (6500+ posts)

    Join Date
    Nov 2001
    Location
    Woodland Hills, Los Angeles County, California, USA
    Posts
    9,782
    Rep Power
    4300
    Reason you can't write to the file is probably because the user account that the webserver (apache, IIS or whatever) runs under only has read permissions to that file/directory. For instance, many apache webservers are configured to switch to a www user account when running and if the directory doesn't allow that user permissions to write to it, then you can't create the file.

    Also, never take the file name directly from a form post. Always untaint it first. Bad mojo if you don't.
    Up the Irons
    What Would Jimi Do? Smash amps. Burn guitar. Take the groupies home.
    "Death Before Dishonour, my Friends!!" - Bruce D ickinson, Iron Maiden Aug 20, 2005 @ OzzFest
    Down with Sharon Osbourne

    "I wouldn't hire a butcher to fix my car. I also wouldn't hire a marketing firm to build my website." - Nilpo

IMN logo majestic logo threadwatch logo seochat tools logo