#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2003
    Posts
    110
    Rep Power
    12

    Getting Data the "Query String"


    I am trying to use a url query string to name a file when I upload it to a server.

    Code:
    #!/usr/bin/perl
    
    use CGI;
    
    $upload_dir = "/home/www/your.com/upload_test";
    
    $query = new CGI;
    
    if (length ($ENV{'QUERY_STRING'}) > 0){
         $buffer = $ENV{'QUERY_STRING'};
         @pairs = split(/&/, $buffer);
         foreach $pair (@pairs){
              ($name, $value) = split(/=/, $pair);
              $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
              $in{$name} = $value;
         }
    }
    
    $bandopen = $in {'sendday'};
    
    $filename = $bandopen;
    $upload_filehandle = $query->upload("photo");
    
    open UPLOADFILE, ">$upload_dir/$filename";
    
    while ( <$upload_filehandle> )
    {
       print UPLOADFILE;
    }
    close UPLOADFILE;
    print $query->header ();
    print<<END_HTML;
    <HTML>
    <HEAD>
    <TITLE>Thanks!</TITLE>
    </HEAD>
    <BODY>
    <P>Thanks for uploading your photo!</P>
    <P>Your email address: $email_address</P>
    <P>Your photo:$bandopen</P>
    <img src="/upload_test/$bandopen" border="0">
    </BODY>
    </HTML>
    END_HTML
    The code above does not upload a file. Here is a sample url
    http://www.your.com/upload_test/uplo...htm?sendday=24

    It seems like $bandopen equels nothing and that is why I get no upload and no file name.

    Any ideas?
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2003
    Posts
    110
    Rep Power
    12
    To simplify the question, how do you get data from a url string and use it in perl?
  4. #3
  5. 11
    Devshed Demi-God (4500 - 4999 posts)

    Join Date
    Jul 2001
    Location
    Lynn, MA
    Posts
    4,635
    Rep Power
    82
    PLEASE PLEASE PLEASE try looking through the forums. The reason you didn't get an answer is probably because we talk about this all the time.

    You were already using CGI.pm. Why did you have to try and use your own broken form parsing code?

    Read the CGI.pm docs (google for it). It's a very powerful, simple module that will save you oodles of time.

    And by the way, it's an INCREDIBLY bad idea to let a user specify a file name unchecked, as you open your application to directory traversal attacks, and could allow a user to overwrite other's files. Bad idea.

    Read the information about security and tainting at the tutorial below.

    http://users.easystreet.com/ovid/cgi_course/


    Code:
    #!/usr/bin/perl
    use CGI;
    $upload_dir = "/home/www/your.com/upload_test";
    
    $query = new CGI;
    
    # Hideous form parsing code BE GONE!
    
    $bandopen = $query->param('sendday');
    
    $filename = $bandopen;
    $upload_filehandle = $query->upload("photo");
    
    open UPLOADFILE, ">$upload_dir/$filename";
    
    while ( <$upload_filehandle> )
    {
       print UPLOADFILE;
    }
    close UPLOADFILE;
    print $query->header ();
    print<<END_HTML;
    <HTML>
    <HEAD>
    <TITLE>Thanks!</TITLE>
    </HEAD>
    <BODY>
    <P>Thanks for uploading your photo!</P>
    <P>Your email address: $email_address</P>
    <P>Your photo:$bandopen</P>
    <img src="/upload_test/$bandopen" border="0">
    </BODY>
    </HTML>
    END_HTML

IMN logo majestic logo threadwatch logo seochat tools logo