Scott R. Godin wrote:
Ovid wrote:
--- "Scott R. Godin" <[EMAIL PROTECTED]> wrote:
his example and in which case you want to get the params AFTER
creating the cgi-object
my %params = $cgi->Vars;
which ensures that you also get multi-value <select>s as separate
values. too.
$cgi->Vars separates multiple values with a null byte, thus increasing
the risk of the person using this being vulnerable to a null-byte hack.
I would only use this if you're migrating from the Perl 4 cgi-lib.pl.
Also. having to do "@foo = split "\0",$params->{foo};" is not fun and
it's easy to get wrong.
If someone needs multiple values, they should just take advantage of
list context:
my $foo = $cgi->param('foo'); # single value
# versus my @foo = $cgi->param('foo'); # multiple values
Cheers,
Ovid
You raise a good point, m'friend, and one that I pondered for quite a
while before sending an RFE to Lincoln Stein regarding possibly adding a
pragma to indicate that you want the multi-value params as an anonymous
array within the hash, thereby avoiding the potential problems of the
poison null-byte.
along the lines of
%hash = $cgi->Vars();
@foo = @{ $hash{foo} };
From what I can see from the code it looks like the \0-packing is being
done artificially after the fact, and internally the object data IS
being stored within an arrayref in the object's structure, so this may
be a simple thing to implement. I don't know myself. I got brain-freeze
trying to follow the flow within CGI.pm :-)
We'll have to wait and see what Lincoln says, but I brainstormed a bit
and even came up with a sensible pragma name.. either -presplit or
:presplit.
Very very good point though, and one I'm going to drill on until I can't
forget it again.
I finally got my tuits in order, unfroze my brain, and managed to grok
enough of the CGI.pm internals that I was able to implement at least a
partial solution to the problem.
It does require one download a separate module (which replaces three of
the CGI.pm AUTOLOAD methods), but short of Lincoln Stein implementing
this as a -presplit or -nopoison pragma, this solves the issue quite
nicely. :)
http://search.cpan.org/~sgodin/CGI-NoPoison-3.10/
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
<http://learn.perl.org/> <http://learn.perl.org/first-response>
