--- Abel Lucano <[EMAIL PROTECTED]> wrote:
> > my $uri_chars = '\x00-\x29\x2b\x2c\x2f\x3a-\x40\x5b-\x5e\x60\x7b-\xff';
>
> Good points Curtis and thanks for your answers; I've applied (and
> understood) all your advices but when I fill the forms with valid entries,
> the submit is still passing wrong parameters to checkuser.cgi, like this:
>
>
http://external-server/cgi-bin/checkuser.cgi?user=%5Cx00-%5Cx29%5Cx2b%5Cx2c%5Cx2f%5Cx3a-%5Cx40%5Cx5b-%5Cx5e%5Cx60%5Cx7b-%5Cxff&pass=%5Cx00-%5Cx29%5Cx2b%5Cx2c%5Cx2f%5Cx3a-%5Cx40%5Cx5b-%5Cx5e%5Cx60%5Cx7b-%5Cxff
Okay, this appears to be from a couple of subtle errors that I didn't spot because I
was running
from the command line. Oops! :) Try the following:
#!/usr/bin/perl -w
use strict;
use CGI;
use CGI::Carp 'fatalsToBrowser';
use URI::Escape;
my $q = new CGI;
my $uri_chars = '\x00-\x29\x2b\x2c\x2f\x3a-\x40\x5b-\x5e\x60\x7b-\xff';
my $usuario = $q->param('username') ||'';
my $contrasena = $q->param('passwd') ||'';
$usuario = uri_escape( $usuario, $uri_chars );
$contrasena = uri_escape( $contrasena, $uri_chars );
print $q->header,
$q->start_html( { bgcolor => "white" }, 'Check users' ),
$q->h1( 'Check users' ),
$q->br,
$q->start_form( -action => "gunman.cgi?user=$usuario&pass=$contrasena",
-method => 'get' ),
$q->h3( 'type user name' ),
$q->textfield( -name => 'username',
-size => 20 ),
$q->p,
$q->h3( 'type user password' ),
$q->password_field( -name => 'passwd',
-size => 20 ),
$q->p,
$q->submit( -name => 'Check' ),
$q->end_form,
$q->hr,
$q->end_html;
Here's what happened:
my $usuario = $q->param('username') ||'';
The ||'' at the end of the line sets $usuario to the empty string, if not param is
sent (e.g., the
first run of the script. Subsequent runs were working). Apparently, if you don't do
that, when
uri_escape encounters and undefined value, it simply returns the URI characters that
you ask it to
encode. I wasn't expecting that.
Second: start_form defaults to the 'post' method. I changed it to -method => 'get',
which clears
up another bug that happened when the server was ignoring params on first pass. When
you change
it to a GET request, you will notice that Check=Check will be appended to the end of
the query
string. That's because you've assigned a name to the submit button. That's normal.
Cheers,
Curtis Poe
=====
Senior Programmer
Onsite! Technology (http://www.onsitetech.com/)
"Ovid" on http://www.perlmonks.org/
__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35
a year! http://personal.mail.yahoo.com/
