I have a perl program that has an include directive calling another Perl program in it. The structure is somewhat as follows
first.pl ---------- #!/usr/local/bin/perl require "second.pl" $q = new CGI; print $q->hidden(-name='first', value='1'); second($q); End of first.pl ----------------
second.pl ---------- #!/usr/local/bin/perl sub second{ use CGI; my ($q) = @_; my $first = $q->param('first'); print $q->hidden(-name='second', value=$first); // This does NOT WORK print $first; // This WORKS!!! }
End of second.pl ----------------
Your first.pl doesn't even compile. It prints this errors:
Scalar found where operator expected at ./first.pl line 3, near "$q"
(Missing semicolon on previous line?)
syntax error at ./first.pl line 3, near "$q "
Execution of ./first.pl aborted due to compilation errors.But when you add:
use strict; use warnings;
at the beginning, as you always should, it prints:
Scalar found where operator expected at ./first.pl line 5, near "$q"
(Missing semicolon on previous line?)
syntax error at ./first.pl line 5, near "$q "
Global symbol "$q" requires explicit package name at ./first.pl line 5.
Global symbol "$q" requires explicit package name at ./first.pl line 6.
Global symbol "$q" requires explicit package name at ./first.pl line 7.
Bareword "value" not allowed while "strict subs" in use at ./first.pl line 6.
Execution of ./first.pl aborted due to compilation errors.
The second.pl prints these errors:
Bareword found where operator expected at ./second.pl line 8, near "// This"
(Missing operator before This?)
Bareword found where operator expected at ./second.pl line 9, near "// This"
(Missing operator before This?)
Can't modify negation (-) in scalar assignment at ./second.pl line 8, near "'second',"
syntax error at ./second.pl line 8, near "// This does "
syntax error at ./second.pl line 9, near "// This WORKS"
Execution of ./second.pl aborted due to compilation errors.
So, first of all, as always, start your programs with:
#!/usr/local/bin/perl use strict; use warnings;
unless you are completely sure you know what you are doing.
Comments in Perl start with '#' and not '//' like in C++. Change it. Now, second.pl prints this error:
Can't modify negation (-) in scalar assignment at ./second.pl line 8, near "'second',"
Execution of ./second.pl aborted due to compilation errors.
This is because of -name='second'
See the documentation of CGI.pm to know how you should use it:
CREATING A HIDDEN FIELD
print $query->hidden(-name=>'hidden_name',
-default=>['value1','value2'...]);
-or-print $query->hidden('hidden_name','value1','value2'...);
Fix it. Now, back to first.pl. As a first line it prints this:
Scalar found where operator expected at ./first.pl line 5, near "$q"
(Missing semicolon on previous line?)So, add the semicolon in the previous line...
Now, it prints:
Global symbol "$q" requires explicit package name at ./first.pl line 5.
So declare your $q as a lexical variable with my, or a package variable with our, or use a full name like $somepackage::q.
When you fix this, you get this error after running first.pl:
second.pl did not return a true value at ./first.pl line 4.
Read perldoc perlmod and perldoc perlmodlib. Read about require: perldoc -f require
The file must return true as the last statement to indicate suc- cessful execution of any initialization code, so it's customary to end such a file with "1;" unless you're sure it'll return true otherwise. But it's better just to put the "1;", in case you add more statements.
So, add "1;" at the end of second.pl...
Now, it prints:
Use of uninitialized value in print at second.pl line 9.
<input type="hidden" name="first" value="1" /><input type="hidden" name="second" value="" />
This is because the "second" CGI parameter is undefined. We can never be sure about the user input, so we have to use some default value in case there is no "second" parameter passed to the script, either with CGI by the browser or with second=something command-line argument, so instead of this:
my $first = $q->param('first');
there should be:
my $first = $q->param('first') || 'default value';
Now it works, but is insecure. There is a cross-site scripting vulnerability. You should change:
print $first;
to:
print $q->escapeHTML($first);
to escape the HTML markup in $first.
There was quite a lot of problems with those two simple pieces of code you have posted, so I suspect that there are much more in your full programs. If you want more help with them, please contact me privately off-list, I might see what I can do.
-- ZSDC Perl and Systems Security Consulting
-- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] <http://learn.perl.org/> <http://learn.perl.org/first-response>
