Hello all.
I made some progress with the configuration and configuration database. for Bering So now I started to continue to work on the weblet. Here I encountered a problem that could be a security risk . What I did was this. Create a html page. containing a form the number of input fields depend on the allready available. items + 1 The parts of the html that is allways the same is put together as functions htmlhead htmltitle and so on. Writerow. As this is rather modular, extending is quite easy. # But now I found a bug :( # The cgi scripts is build like this. # #If I am called after submitting. #read the variables on each row and write them back to the database # # cdb count gives the number of items in this tree # cdb set will write the fields back # # counter=`$cdb count $tree` if [ "x$WWW_save" = "xsave changes" ] ;then max=0 for nr in `echo "$WWW_max" |sed 's/#/ /g' ` # max is a repeated field # and contains the numbers of the fiels like 1#2#3#4 # do eval delete="\$WWW_delete$nr" # is the delecte checkbox checked # if not than this item has to be processed # and the item number is temporarily saved in $order # [ -z $delete ] && order="$nr $order" max=`expr $max + 1` done ct=0 for nr in $order do # change # # evaluate returnnames to local names # # As I use uncgi the fieldnames are returnde as $WWW_name # This is probably unneccessary. # The problem is however the name$nr # # --------------------------------------------------------- # Those are the troublesome lines # ------------------------------------------------------- # eval name="\$WWW_name$nr" eval ip="\$WWW_ip$nr" # # ----------------------------------------------------------------------------- # this functions good unless name1 2 etc. contains a special char # for example "*" # the eval function will find a filename for it and not just write it to the # database # the same trouble could probably be caused by backticks in a name # any suggestion to improve this ? # # or in other words how can I evaluate a number of numbered fieldnames without # evaluating the contents. # #------------------------------------------------------------------------------- # # test if the first or obligate field is empty # if [ -n "$name" ]; then # # # write the row # option that can be empty are set in their own line # $cdb set tree $tree/$ct name $name ip $ip # # no change # ct=`expr $ct + 1` fi done # # # # After this part the page is written. # as there is no eval necessary, this is no problem. # Thanks for any help Eric Wolzak member of ther bering crew ------- End of forwarded message ------- ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php _______________________________________________ leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
