Kee Hinckley wrote:
> So long as you don't mind someone doing http://xxx/foo.epl?file=/etc/passwd
> I'd do a little checking on the contents of $fdat{file} first.
Kee,
using CGI.pm's magic to treat a reference as a filehandle is regarded
as a safe practice, and is part of what I understand the Perl community
does everyday. It's even recommended if you read `man CGI` and also in
my Perl Cookbook.
The trick is that the reference is 'magic' in the sense that if you
read it as a scalar, you get a string that reflects the filename of the
file on the clients hard drive. If you treat is as a filehandle,
read()ing it, for instance, it'll behave as an *already open*
filehandle. As you can read in my post, I was never issuing an open on
the *string*. As a matter of fact, it wouldn't work!
Why would you want to validate the filename of the file you are getting
via upload? Or am I missing something?
martin
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
