Yet more file upload questions

Fri, 23 Apr 2004 10:37:07 -0700 

All,
 
I appreciate all the help with file uploading. I have written a basic script
similar to the file upload sample at perlmonks.com. I have noticed that it
is written very loosely so I am trying to build in additional security. Some
of the things I would like help understanding are as follows:
 
1.      I am using $CGI::POST_MAX=1024 * 100;  # max 100K posts to limit the
file upload size. This does work but how can I output a warning to the
user's browser.
2.      I would like to learn and understand how to restrict file types,
such as only .doc and .pdf.
3.      What is the best way to prevent a user from passing additional
parameters to the script?
 
Once I again I thank you all sincerely for your help, I am a total n00b to
perl and I am having a lot of trouble understanding how it works, just not
clicking at this point. The script is included below for reference.
 
#!/usr/bin/perl -w
 
# perlUpload.cgi by John Pretti
# Comments/Questions: john[at]web-connected.com
# Last modified 04/22/04
 
####### Load Needed Perl Modules ######
use strict;
# Make HTML/FORMS/UPLOADING easy to deal with
use CGI;
# Report errors in the browser
use CGI::Carp 'fatalsToBrowser';
# Limit file size
$CGI::POST_MAX=1024 * 100;  # max 100K posts
#######   End Perl Module Load  #######                       
 
# Create new CGI object
my $q = new CGI;
 
if ( $q->param() ) {
 
    # read filehandle from param and set to binary mode
    my $filehandle = $q->param('file');
    binmode($filehandle);
 
    # Strip off WINDOZE path crap
    $_=$filehandle;
    s/.*\\//;
    my $filename=$_;
 
    # open file for output - change this to suit your needs!!!
    open(OUT,">/www/web/htdocs/merlin/upload/$filename") || die $!;
    binmode(OUT);
 
    # process $filehandle
    {
        my $buffer;
        while ( read($filehandle,$buffer,1024) ) { 
            print OUT $buffer;
        }
    }
 
    # close output file
    close(OUT);
 
    # show success
    print   $q->header,
            $q->start_html,
            $q->p('File uploaded: $filename'),
            $q->end_html;
    exit(0);
}
else {
 
    # first run, so present form
 
    print   $q->header,
            $q->start_html,
            $q->start_multipart_form,
            $q->filefield('file'),
            $q->br,
            $q->submit('Upload'),
            $q->end_form,
            $q->end_html;
    exit(0);
}
 
Thanks in advance for your help and patience.
 
Regards,
John

Reply via email to