--- [EMAIL PROTECTED] wrote:
> Curtis,
> Thank you for your observations and compliments (first paragraph). No your
>right, I haven't
> been using taint (*I hang my head in shame*).
Actually, you may not *want* to use taint checking in your code samples. The end user
should
control that as sometimes it cannot be used (on ISAPI, for example).
> So if I understand correctly, you would recommend something more to the effect of
> ----------------------------------
> if( $ENV{'CONTENT_TYPE'} =~ /multipart\/form-data; boundary=(.+)$/ ) {
> $boundary = $1; # Using MIME to split out the form elements.
> $boundary = '--'.$boundary if ($input =~ /--$boundary/);
> ----------------------------------
Don't forget about the boundary bug on IE 3.01 on Macs. Also, you must check that the
length of
data read is the same as $ENV{'CONTENT_LENGTH'}. These are big issues. If you fail
to check,
your code will *usually* work, but the mysterious intermittant failures that will
result is what
is going to be a major reason for convincing people not to use this code.
> > I understand that some user agents do not wrap the values in quote marks
> So it should be more like
> ----------------------------------
> if ($listitem =~ / name=\"{0,1}(.*?)\"{0,1}; filename=\"{0,1}(.*?)\"{0,1}[\r\n]{2}/){
> ----------------------------------
> in order to catch the correct data where it may or may not be wrapped in quotes.
This:
/name=\"{0,1}.../
is the same as:
/name="?.../
And the second example is also easier to read.
Cheers,
Curtis "Ovid" Poe
=====
"Ovid" on http://www.perlmonks.org/
Someone asked me how to count to 10 in Perl:
push@A,$_ for reverse q.e...q.n.;for(@A){$_=unpack(q|c|,$_);@a=split//;
shift@a;shift@a if $a[$[]eq$[;$_=join q||,@a};print $_,$/for reverse @A
__________________________________________________
Do You Yahoo!?
Sign up for SBC Yahoo! Dial - First Month Free
http://sbc.yahoo.com
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
