--- Håkan Edman <[EMAIL PROTECTED]> wrote:
> Hi
>
> I have a script that generates a HTML page with input fields. The amount
> of fields depends of an ascii database. This means that I don't know how
> many
> fields I have to work with. I tried the following code but I don't get
> any
> data in $title and $path. I get the correct amount of entrys but it
> looks like:
> 0||
> 1||
> 2||
> And so on.
>
> CODE:
> ----
> $E=0;
> open (EDITERA, ">$DATABASE") || die "Can't open $DATABASE!\n";
> foreach $h (@num) {
>
> $title = param('linkname$E');
> $path = param('path$E');
> print EDITERA "$E|$title|$path\n";
> $E++;
> }
>
> close (EDITERA);
> ----
>
> Is there some easy way to get this to work?
>
> regards
> Håkan
Håkan,
It's easy to get this to work, but you have some problems here. Consider the
following three
lines of code:
$title = param('linkname$E');
$path = param('path$E');
print EDITERA "$E|$title|$path\n";
The reason that $title and $path are not getting any data is because variables will not
interpolate in single quotes. You need to change those to double quotes:
$title = param("linkname$E");
$path = param("path$E");
However, you then print this data directly to your text file without checking what is
in the data.
What happens if someone sends a newline? What happens if someone sends data with a
pipe in it?
The pipe alone will cause subsequent reading of the database to be off because it will
appear to
have extra delimited fields. There are other dangers here, but lets assume, for the
sake of
argument, that the title and path can only be letters, underscores, whitespace,
digits, dots and
forward slashes. Further, let's assume that the title can not be more than 30
characters and the
path cannot be more than 100. We can create some regular expressions to untaint your
data very
easily.
$_title = param("linkname$E");
$_path = param("path$E");
my ( $title ) = ( $_title =~ !^([\s\w\d./]{1,30})! );
my ( $path ) = ( $_path =~ !^([\s\w\d./]{1,100})! );
print EDITERA "$E|$title|$path\n";
You'll probably need to modify the regular expressions to fit your needs, but this is
much safer
and bug-free than what you are currently doing.
Hope this help.
Cheers,
Curtis "Ovid" Poe
=====
"Ovid" on http://www.perlmonks.org/
Someone asked me how to count to 10 in Perl:
push@A,$_ for reverse q.e...q.n.;for(@A){$_=unpack(q|c|,$_);@a=split//;
shift@a;shift@a if $a[$[]eq$[;$_=join q||,@a};print $_,$/for reverse @A
__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
