Re: Fw: 2 Questions
--- Kyle Babich [EMAIL PROTECTED] wrote: Sorry for bothering everyone again, but could someone tell me what to change so that I can import variables from external files and get them to work in the current file? (see original message) Thank you, Kyle Copied from perldoc CGI: -- begin quote -- CREATING A NEW QUERY OBJECT FROM AN INPUT FILE $query = new CGI(INPUTFILE); If you provide a file handle to the new() method, it will read parameters from the file (or STDIN, or whatever). The file can be in any of the forms describing below under debugging (i.e. a series of newline delimited TAG=VALUE pairs will work). Conveniently, this type of file is created by the save () method (see below). Multiple records can be saved and restored. -- end quote -- Note that this requires use of CGI's object-oriented interface. So instead of use CGI qw/:standard/; print header, start_html; you instead say use CGI; my $query = new CGI(INPUTFILE); print $query-header, $query-start_html; or just my $query = new CGI; to get parameters the normal cgi way, or a variety of other ways which you can read about in perldoc CGI, which I encourage you to do. - John P.S. I'm about to unsubscribe to go on vacation. I will probably be back in a few weeks. = Now it's over, I'm dead, and I haven't done anything that I want; or, I'm still alive, and there's nothing I want to do. - They Might Be Giants, http://www.tmbg.com __ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Perl CGI FORM statement
Maureen,
Personally, I would just print out the raw HTML in
this case rather than try to use CGI's form function.
Something like (ignore the word wrap, please):
print p( A paragraph with CGI.pm );
# Now output the plain HTML tags
print form action='myscript.cgi' method='get';
if( $my_first_condition ) {
print input type='radio' name='$myname'
value='0';
}
# repeat for whatever your logic is
print '/form';
print p( Then use CGI some more, if you want... );
Does that help?
- John
--- Maureen E Fischer [EMAIL PROTECTED] wrote:
Hello,
My question is about CGI's form statement. I
wrote a program that
outputs
three fields. Two of the three are fields from
which one option is
selected. The
number and type of options presented are based on
the user identified in
the environmental variables.
I got the screen to print out correctly, but
when the submit button
is pressed the only information that is passed to
the next program is
the information from the last FORM statement that I
output. So I am
thinking that I have to somehow output all three
fields
in one form statement. If that is true then how is
this done when the
number of OPTIONs will vary.
Thanks,
Maureen
--
To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
=
Now it's over, I'm dead, and I haven't done anything that I want; or, I'm still
alive, and there's nothing I want to do. - They Might Be Giants, http://www.tmbg.com
__
Do You Yahoo!?
Sign up for SBC Yahoo! Dial - First Month Free
http://sbc.yahoo.com
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: HTML textarea contents into Perl CGI
--- David vd Geer Inhuur tbv IPlib
[EMAIL PROTECTED] wrote:
$data = param('data');
$data =~ s/\/n/br/g;
Situation: I am reading into my script via
param() a textarea called Job Duties. When I
print
out that parameter in perl all of the new lines
are
ignored and it prints as one long string.
Here's a slightly more sophisticated algorithm (he
says with great Hubris(tm) ;-) that I wrote about a
month ago. I have a function for either direction, and
they translate double newlines into paragraphs as well
as single ones into line breaks. (Probably appears
identically in most browsers, but seems more
correct.) Also removes any doubt about \n handling,
although it's possible that that doubt is justified
only in my mind. Sorry about the word wraps, those
were inserted by the Yahoo! email editor.
- John
sub NL2HTML {
$_ = shift;
s/\x0d\x0a/\x0d/g;# Strip LF out of
CR/LF combinations (Convert DOS - *nix)
s/\x0d+$//g; # Strip out any CR at
end, unnecessary (??? WHY NOT WORKING ???)
s/\x0d{2}|\x0a{2}/\/pp/g; # Replace double CR
or LF with paragraph break /pp
s/\x0d|\x0a/br/g; # Replace single CR
or LF with line break br
return p$_/p; # Wrap whole thing in
outside p/p
}
sub HTML2NL {
$_ = shift;
my $eol = shift || \x0d\x0a; # Default newline
is CR/LF unless overridden
s/^p(.*)\/p/$1/; # String out the
outside p.../p
s/\/pp/$eol$eol/g; # Replace internal
paragraphs with double newlines
s/br/$eol/g; # Replace internal
line breaks with one newline
return $_;
}
=
Now it's over, I'm dead, and I haven't done anything that I want; or, I'm still
alive, and there's nothing I want to do. - They Might Be Giants, http://www.tmbg.com
__
Do You Yahoo!?
Sign up for SBC Yahoo! Dial - First Month Free
http://sbc.yahoo.com
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: CGI.pm v/s roll-your-own [WAS:] Displaying Problems
After all, Hubris is one of St. Larry's Three Cardinal Virtues! So this seems to me to be a properly Perl-ish attitude. - John --- [EMAIL PROTECTED] wrote: ... minded here, I'm just the type of person who if I'm not perfectly happy with the way something works (whether programming or in the real world), I determine whether I can fix it, if I can I do. = Now it's over, I'm dead, and I haven't done anything that I want; or, I'm still alive, and there's nothing I want to do. - They Might Be Giants, http://www.tmbg.com __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: CGI.pm v/s roll-your-own [WAS:] Displaying Problems
Oh, dear, I was afraid that that message might be misinterpreted! I thought my humor was evident enough by the informal language, but I guess I should have put a smiley on it too. I didn't mean hubris in a bad sense. The sense I get from Larry's use of it (from reading the Camel book), and the sense I meant here, was having enough self-confidence to believe that you *can* do all the things you mention, rather than just putting up with what is handed to you because you're too humble to think that little old you could do better. It might tend towards arrogance in some cases, maybe, especially when unwarranted by the actual talent behind it, but true arrogance connotes more negative personality traits, such as not being open to other points of view or debate, and that's *not* what I meant. I did assume familiarity with Larry's philosophy of Laziness, Impatience, and Hubris as The Basis of All Good Software Design, and maybe I shouldn't have. I'd quote some of this from the Camel book, but I don't have it with me. I would summarize it as good programmers don't like write the same thing over and over, yet if they don't like something they got elsewhere, they'll write something themselves that they like better. I suspect he intentionally chose provocative words to get people's attention, but his claim that they lead to good software design implies that far from being bad traits, he thinks that they are actually good traits, properly applied. I apologize that my message was taken negatively. I meant it positively. I support the spirit of your effort. - John --- [EMAIL PROTECTED] wrote: That actually has nothing to do with it. It has everything to do with the strong desire to improve circumstances, be innovative, make the world a better place. If you want to call me arrogant for trying to improve my surroundings, go right ahead, but your tacking the wrong name on me. David - Original Message - From: John Brooking [EMAIL PROTECTED] To: [EMAIL PROTECTED]; Todd Wade [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, June 27, 2002 12:57 PM Subject: Re: CGI.pm v/s roll-your-own [WAS:] Displaying Problems After all, Hubris is one of St. Larry's Three Cardinal Virtues! So this seems to me to be a properly Perl-ish attitude. - John = Now it's over, I'm dead, and I haven't done anything that I want; or, I'm still alive, and there's nothing I want to do. - They Might Be Giants, http://www.tmbg.com __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: passing variables in POST
Marty, David's explaining it pretty well, but let me take another crack at it. I was in your position about a year ago and got royally (and publically) flamed on the perl beginners list by a security admin for deigning to give CGI advice without knowing this, so I got what you might call a crash course! As David says, the place that you can see the hidden variables is in the page where the form is, before you submit it. It is true that once you submit it, you don't see them go, and once you arrive at the target script, they are not available. But they can be discovered by looking at the page source before submission. So what? The user can't change the page source, right? Well, wrong. Anyone could save a copy of the page to their own file system, modify the hidden values there, and submit that modified page to your server! Your server script may or may not be checking the referer [sic] environment variable to ensure that only submissions originating from your site are valid. If it's not, this bogus and potentially malevolent request would get right through! But wait, there's more! Even if your script *did* check the referer, that's no protection either! An experienced programmer can easily use Perl's LWP module or its equivalent in some other language to make the request with a faked referer variable. So really, POST variables are no more secure than GET variables, it just takes a little more doing to fake them. Does this matter in your situation? If it's a session id, it seems to me that either it's the correct session id that you gave them, or it's something else they made up, in which case it's probably invalid and so your script will just ignore it or throw an error. (It's theoretically possible I suppose that they might guess a number that's someone else's current session id, but that seems extremely unlikely.) And if you're passing it to log them off, even if they attempt to use it again, they'll be logged off by then, so it won't work anymore anyway. (But then, why does it even matter if it's hidden or not?) So in the end, it's your decision. But it's important that you understand it all so that you can make an informed decision. By the way, I'm still not a security expert, so don't take my word as the final one either! - John --- Marty Landman [EMAIL PROTECTED] wrote: At 06:06 AM 6/25/02 -0500, David T-G wrote: If the variables are in the page to be in the form to be sent back via POST, then the user can find them, period. Try it yourself: set up something via POST and then surf to the page and then view source or the equivalent in your browser (and if there isn't an equivalent then find a browser, even if just for a moment, that DOES have it) and look and see your data hanging right out there for all to see. David, Sorry but I don't get what you mean here. When I have a page call a program with info from a form being posted then the program picks up the data and then creates whatever output web page is appropriate. The posted data comes in via STDIN so unlike a GET where the data is actually part of the URL, in a POST it isn't viewable from the browser. = Now it's over, I'm dead, and I haven't done anything that I want; or, I'm still alive, and there's nothing I want to do. - They Might Be Giants, http://www.tmbg.com __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: passing variables in POST
--- Marty Landman [EMAIL PROTECTED] wrote: ... check the referer, that's no protection either! An experienced programmer can easily use Perl's LWP module or its equivalent in some other language to make the request with a faked referer variable. So really, POST variables are no more secure than GET variables, it just takes a little more doing to fake them. Didn't realize this. What exactly is the right procedure then to safeguard scripts such as formmailers from being hijacked? --- Marty Landman [EMAIL PROTECTED] wrote: Didn't realize this. What exactly is the right procedure then to safeguard scripts such as formmailers from being hijacked? Not sure if there is a way. We had a big discussion a few weeks back about a certain classic form mailer script (and let's not resurrect it please!), and from what I could tell, one of the improvements made by the recommended replacement was that it put a limit on the number of simultaneous target addresses, to prevent spamming. This makes me think there's really no way to enforce who is calling you. But I don't know that for sure. Ovid's point a few messages ago that you shouldn't trust anything outside your own box also seems relevant. Anyone with more security experience want to take a crack at this? (Where's that guy who flamed me last year when I need him? :-) - John = Now it's over, I'm dead, and I haven't done anything that I want; or, I'm still alive, and there's nothing I want to do. - They Might Be Giants, http://www.tmbg.com __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Using CGI.pm [WAS Re: Displaying Problems]
I tend to always use CGI.pm to get the parameters, but I may or may not use it to output HTML. If it's simple HTML, I will, because it's easier and safer, but if it's complicated, like a lot of JavaScript in the header, or for most form input controls, I just use print statements, either normal ones for one or two lines, or the END form for larger sections. The other day I found myself using mostly one large END statement, with variables embedded to insert the results that I had calculated earlier. At some point, I realized I was approaching the concept used by HTML::Template, except that I had both code and presentation in one source file rather than splitting it. Different techniques for different situations. - John = Now it's over, I'm dead, and I haven't done anything that I want; or, I'm still alive, and there's nothing I want to do. - They Might Be Giants, http://www.tmbg.com __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: What editor for Perl do you recommend?
Recognizing that this is a religious issue among many programmers, I submit for what it is worth that I use Ultra-Edit (Windows). It has everything you ask, you can extend the syntax for color-coding, run command line programs and capture the output in a window, edit remote files via FTP, record and re-run keyboard macros, and edit in column mode, to name just the features I use frequently. The column mode is handy for cutting or inserting characters in a certain column of contiguous lines (such as placing a # in front of many lines at once), and tab/shift tab will indent and unindent groups of lines. Granted, emacs and others can do the same things, so you see that you have a lot of choices. -John From: Octavian Rasnita [EMAIL PROTECTED] Subject: What editor for Perl do you recommend? Date: Mon, 24 Jun 2002 08:06:40 +0300 Hi all, Can you recommend me a good editor for Perl scripts that runs under Windows? It should: = Now it's over, I'm dead, and I haven't done anything that I want; or, I'm still alive, and there's nothing I want to do. - They Might Be Giants, http://www.tmbg.com __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: passing variables in POST
Only way I know of is to have the variables in their own private form somewhere on the page, such as: (HTML tags embedded in email message here!) form name=otherForm action=myScript.pl method=POST input name=var1 type=hidden value=val1 input name=var2 type=hidden value=val2 /form Then have the link submit the form programmatically using javascript: a href=javascript: document.otherForm.submit(); Click here /a You should be aware, if you are not already, that this is not really as secure as you might think, as users can always view the page source to find out what these values are. They can even submit their own copy of the page after changing the values to whatever they want. And even if the target script checks referers to guard against this, the referer can be spoofed too. So while you may be protecting yourself against the average user who doesn't who how anything works, knowledgeable hackers can easily get around it. Just FYI. - John --- Niko Gunadi [EMAIL PROTECTED] wrote: Hii, I want to create a link to another page and want to pass some variables in which i do not want the user to know. (POST method) how to do that ? regards, niko = Now it's over, I'm dead, and I haven't done anything that I want; or, I'm still alive, and there's nothing I want to do. - They Might Be Giants, http://www.tmbg.com __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: My mind is numb!
Ben, I have found any of the O'Reilly books (http://perl.oreilly.com/) to be an excellent resource. I own _Programming Perl_ (a.k.a. The Camel Book) and find it's writing style to be very easy to read (even if I still have to re-read the complicated bits several times to really understand them), not to mention very humorous in places. Of course, it helps that one of the authors is Larry Wall himself. I've also heard good things about _Learning Perl_ (The Llama Book), but have never read it myself. Also, the O'Reilly _Perl Pocket Reference_ is absolutely invaluable! - John --- Alfred Wheeler [EMAIL PROTECTED] wrote: Comfortably numb? ;-) This might help (a little more introductory...): Copyright: 2001 Format: Paper Bound w/CD-ROM, 1057 pp. ISBN: 0-13-028418-1 In Perl How to Program, the Deitels and their colleagues, Tem R. Nieto and David C. McPhie, discuss topics you need to build complete, Web-based applications including: CGI/HTML forms/XML/CGI.pm Control Structures/Arrays/Hashes Regular Expressions/Strings Objects/Encapsulation OOP/Inheritance/References Database/DBI/SQL/Signals/Contexts Security/Accessibility Typeglobs/File Globbing Networking/Sockts/Internet Protocols Cookies/Session Tracking Filehandles/Data Structures Process Control/Forking/Piping Subroutines/Modules/Packages/Overloading Web Automation/OLE Automation Server-Side Includes/Ties/Closures Graphics/GUI/Perl/TK Ben Huyghebaert wrote: I just spent about 5-6 hours going through some of the unix mans for perl. I'm trying to get a better grasp on perl/cgi because right now a lot of it still confuses me even after reading a whole book about it. I think I'm mostly confused because there are so many ways to do things and then one wrong step that is hardly noticable can throw everything outta wack! ... etc. = Now it's over, I'm dead, and I haven't done anything that I want; or, I'm still alive, and there's nothing I want to do. - They Might Be Giants, http://www.tmbg.com __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Fwd: [htmltmpl] [PATCH] default_escape
For users of HTML::Template, attached is a note about
a patch someone wrote to help guard against cross-site
scripting attacks when using said module. FYI.
Note: forwarded message attached.
=
Now it's over, I'm dead, and I haven't done anything that I want; or, I'm still
alive, and there's nothing I want to do. - They Might Be Giants, http://www.tmbg.com
__
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com
---BeginMessage---
This patch allows you to do
HTML::Template-new(default_escape = 'HTML');
then your TMPL_VARs will always be HTML-escaped unless you explicitly
specify ESCAPE=0, which will be a handy guard against Cross Site
Scripting attacks.
--
Tatsuhiko Miyagawa [EMAIL PROTECTED]
diff -ruP HTML-Template-2.5.orig/Template.pm HTML-Template-2.5/Template.pm
--- HTML-Template-2.5.orig/Template.pm Fri Jun 21 16:05:21 2002
+++ HTML-Template-2.5/Template.pm Fri Jun 21 16:03:29 2002
@@ -927,6 +927,7 @@
no_includes = 0,
case_sensitive = 0,
filter = [],
+ default_escape = 0,
);
# load in options supplied to new()
@@ -1822,7 +1823,7 @@
$which = uc($1); # which tag is it
- $escape = $3 || $8;
+ $escape = $3 || $8 || $options-{default_escape};
$escape = 0 if $2 || $7; # ESCAPE=0
$escape = 0 unless defined($escape);
diff -ruP HTML-Template-2.5.orig/test.pl HTML-Template-2.5/test.pl
--- HTML-Template-2.5.orig/test.pl Fri Jun 21 16:05:21 2002
+++ HTML-Template-2.5/test.pl Fri Jun 21 16:04:56 2002
@@ -3,7 +3,7 @@
use strict;
use Test;
-BEGIN { plan tests = 55 };
+BEGIN { plan tests = 57 };
use HTML::Template;
ok(1);
@@ -717,3 +717,18 @@
filename = 'include_path/one.tmpl');
$output = $template-output;
ok($output =~ /ONE/ and $output =~ /TWO/ and $output =~ /THREE/);
+
+# test default_escape
+$template = HTML::Template-new(path = ['templates'],
+ filename = 'simple.tmpl',
+ default_escape = 'html');
+$template-param(ADJECTIVE = 'very');
+$output = $template-output;
+ok($output =~ /quot;veryquot;/);
+
+$template = HTML::Template-new(path = ['templates'],
+ filename = 'escape.tmpl',
+ default_escape = 'html');
+$template-param(STUFF = '');
+$output = $template-output;
+ok($output !~ //);
---
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
___
Html-template-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/html-template-users
---End Message---
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: refreshing problem
Okay, I gotcha. The same script generates the form everytime. If it has some parameters, it processes them first, then regardless, it draws the form for the next time. I think the browser is working as intended. No matter what the current URL is, the Refresh button simply re-requests it, including any parameters that were included in the last request. That's just how it works. I've seen this lots of times with my own stuff. I think what you need to do is separate your form and your processing script. You should be able to still have the form page be a script of some sort, in case there is any data lookups and so forth to be done, but if it can be plain HTML and maybe a little client-side Javascript, all the better. Have the form call the script, which now does only the processing but no output, then have the script redirect back to the form page at the end. Then the Refresh button will repeat the request to show the form page only, and not the entire processing script. Hope this helps! - John --- spider man [EMAIL PROTECTED] wrote: The redirection to itself actually works. I wonder if there are any flaws in this process. It seems to be more of a work around instead of an actual correct way of doing things. What do you think? spider man [EMAIL PROTECTED] wrote: My script has HTML code generated at the at the file. There is an if condition on the param() values at the beginning for processing. Regardless of the if condition, the code to generate HTML code is executed at the end. So the form is http:////form.pl and when you submit the form it doesn't redirect and run the same script again for the HTML. So you will see http://.../.../form.pl again. Would redirect to another URL and then back to the script form do the trick? = Now it's over, I'm dead, and I haven't done anything that I want; or, I'm still alive, and there's nothing I want to do. - They Might Be Giants, http://www.tmbg.com __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Uploading Help
True. The only print statement I see here is the one
which prints the contents of $uploaded to FILE. Maybe
after you do this, you want to either print out an
HTML response or redirect to another page? If so, you
need to write more code to do that.
- John
--- LinkS On WeB [EMAIL PROTECTED] wrote:
for some reason when, I do this it doesnt print any
thing, it just makes the file.
sub uploadfile {
for ($i=1; $i=5; $i++) {
if ($q-param(file$i)) {
$filename = $q-param(file$i);
$file = $q-param(file$i);
$filename =~ s/.*[\/\\]//;
open (FILE,$user{'site_id'}/$filename) ||
error(Could not create $filename: $!);
{
local $/=;
my $uploaded = $file;
print FILE $uploaded;
}
close FILE or die $!;
}
}
}
=
Now it's over, I'm dead, and I haven't done anything that I want; or, I'm still
alive, and there's nothing I want to do. - They Might Be Giants, http://www.tmbg.com
__
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Uploading Help
Oh! Upon re-reading I realize you probably meant that nothing is printed to the file, you are just getting an empty file created. Sorry for misunderstanding. Unfortunately, I don't have any experience in uploading files, so I'm sure that others on this list can be of more help than I can. (In fact, I'm about to make my own first attempt at this, so I can tell you more in a few days!) - John --- John Brooking [EMAIL PROTECTED] wrote: True. The only print statement I see here is the one which prints the contents of $uploaded to FILE. Maybe after you do this, you want to either print out an HTML response or redirect to another page? If so, you need to write more code to do that. - John --- LinkS On WeB [EMAIL PROTECTED] wrote: for some reason when, I do this it doesnt print any thing, it just makes the file. ... etc. = Now it's over, I'm dead, and I haven't done anything that I want; or, I'm still alive, and there's nothing I want to do. - They Might Be Giants, http://www.tmbg.com __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [OT] RE: POD vs. # Comments
--- David T-G [EMAIL PROTECTED] wrote: ... % Programming Perl?) says that comment, when used as % a translator keyword following =for, is by Whoa! You found that in there?? Do you have 3e or 2e? I couldn't find any POD commands in my 2e (Covers Perl5!) copy, which is why I kept bugging the list for pointers (and finally got them; thanks, all!). Third Edition (Revised and Updated), Chapter 26, Plain Old Documentation. The information I quoted was from page 634, 3rd full paragraph. - John = Now it's over, I'm dead, and I haven't done anything that I want; or, I'm still alive, and there's nothing I want to do. - They Might Be Giants, http://www.tmbg.com __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[OT] RE: POD vs. # Comments (was Am I doing something wrong?)
Well, I confess that I sometimes use POD directives to write a long comment (more than about 1/2 dozen lines). My rationale is that I haven't really learned POD very well yet, and so far I haven't released any of this code publically. When I do, I intend to revisit the code and make a better distinction between what is properly POD doc'n and what is just code comments. Meantime, I do think it's a pain to write multiple paragraph comments as lines beginning with '#'. It's a little easier with a good editor that has column mode. You set it to wrap text, write the paragraph(s), then turn off wrap, column-select the beginning column of every line, type '# ', and presto, they all start with '# '. Of course if you want to change something, you have to take them all out again (column select and delete) and re-do the process, including re-wrapping the paragraphs. A multi-line comment would still be easier. (But I guess I missed the public comment period for Perl 6, didn't I? I wonder if anyone raised this suggestion?) - John --- Scot Robnett [EMAIL PROTECTED] wrote: What you are doing is not commenting; you're creating POD documentation. To comment out lines in Perl, use the # character. #!/usr/bin/perl -w print Hello, world! \n; # This is a comment where you # can write about what you're # doing in a particular block # so other programmers won't # be confused by your code. = Now it's over, I'm dead, and I haven't done anything that I want; or, I'm still alive, and there's nothing I want to do. - They Might Be Giants, http://www.tmbg.com __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [OT] RE: POD vs. # Comments
--- drieux [EMAIL PROTECTED] wrote: ... Solving 'what should be in the pod' as opposed to 'in code comments' ... POD doc'n in CPAN modules is basically of the here's how to use this code variety, so taking that is the model, here's what I'm thinking about that distinction. If it's about how to USE the code, such as the arguments expected by a function, that's POD doc'n. If it's something about the internals that only the developer needs to know, such as more explanation of a particularly gnarly algorithm, then it needn't and probably shouldn't be POD. Don't confuse your audience with things they don't need to know. = Now it's over, I'm dead, and I haven't done anything that I want; or, I'm still alive, and there's nothing I want to do. - They Might Be Giants, http://www.tmbg.com __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [OT] RE: POD vs. # Comments
--- Felix Geerinckx [EMAIL PROTECTED] wrote: on Mon, 10 Jun 2002 17:37:46 GMT, John Brooking wrote: [...] If it's something about the internals that only the developer needs to know, such as more explanation of a particularly gnarly algorithm, then it needn't and probably shouldn't be POD. Don't confuse your audience with things they don't need to know. But then you could always use =for those_interested_in_the_nifty_algorithm Explanation of the nifty algorithm =cut # rest of code which will never show up in a pod2something translation. I tend to use this only to (temporary) comment out large chunks of code though. For 'real' comments, I always use #. -- felix Hey! The Camel book (am I right in assuming that is the Perl community's nickname for O'Reilly's Programming Perl?) says that comment, when used as a translator keyword following =for, is by convention ignored by all translators. So in my mind, =for comment would be a Safe and Acceptable way to begin a multiple line comment that you don't want your public to see. Or, if you are commenting only for yourself or other future developers, you could use something like =for developers, and write a translator that responds to that word. But maybe not, because a translator by definition translates to a particular output format, whereas this translator is named not for the output format it creates but for the POD sections it selects. So it kind of gets away from the intended purpose. Maybe the standard POD syntax ought to have an audience directive, and include a command line flag on perldoc to indicate what audiences to include. (Drat, second time today I've regretted missing the Perl 6 comment period!) - John = Now it's over, I'm dead, and I haven't done anything that I want; or, I'm still alive, and there's nothing I want to do. - They Might Be Giants, http://www.tmbg.com __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[OT] Re: What database would your recommend?
Not to be pedantic, but isn't PHP a *language*, not a database? So you could use almost any particular database with either PHP or Perl. Or does PHP have it's own built-in database and that's what you meant? (I looked at PHP a little once, and I have to admit a knee-jerk negative reaction to a language that relies on indentation for intuiting program flow. [Please avoid copying this list on any religious responses to that last sentence; take it up with me personally if you must.]) Of course, if we're being pedantic, I would point out that this whole thread has been off-topic from the start, but just I'll content myself with prefixing the subject with [OT]. - John --- Fred Sahakian [EMAIL PROTECTED] wrote: depends what you need to do, PHP has become VERY popular = Now it's over, I'm dead, and I haven't done anything that I want; or, I'm still alive, and there's nothing I want to do. - They Might Be Giants, http://www.tmbg.com __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[OT] Re: First and second rate programmers
On Wednesday, June 5, 2002, at 08:40 , Ovid wrote: [..] First-rate mathematicians want to hang around first-rate mathematicians. Second-rate mathematicians want to hang around third-rate mathematicians. The reason for that is left as an exercise for the reader :) So, ignoring for the moment drieux's eloquent case for calling this a bogus distinction (if I understood what he said, which isn't always easy), if we assume for the sake of argument that a newbie is a third-rate Perl programmer (although granted s/he may be first rate in another pond), what does that make you experienced people hanging around with us? :-) [Besides wonderful and nice people, of course?] And then drieux said: But what if 12 years in the industry helped me better understand how frighteningly silly that Degree in Computer Science really was to begin with? Au contraire. I know it is fashionable to wonder what all that education was good for, but after about 10 years myself, I find that I have repeatedly been able to pick up new languages and packages at a faster rate than many of my peers in the corporate IT world, and I credit the value of the more conceptually abstract 4-year CS degree as compared to the very concrete and limited 2-year business programming degree of some of my colleagues. Having learned abstractly about algorithms, operating system internals, compilers, and so on may not be something I use everyday (not to even mention functional programming and CS theory, much of which I've no doubt forgotten), but it's given me a higher framework in which to categorize and relate new knowledge, which is what learning is all about. The tradeoff is that I actually graduated knowing nothing about how to use any particular commercial databases, for instance, but I knew about tree structures and hash tables, and once you know the concepts and theory, it's easy to pick up specific commercial implementations. But then, I never went to grad school or into academia, so perhaps I'm really just one of the middle-tier people myself! :-) Or would this be the wrong place to propose that if only Larry Wall had been a team player and been willing to do what needed to be done to make things in sed/awk more ellegant - and be a 'real first water' programmer rather than someone out to impress the 3rd tier wankers... But the same would also apply to the fact that those CERN wankers really should have been content with telnet and ftp - since clearly this whole skank with the lame, lame, lame HTTP protocol was merely there because those were so clearly lame types who were never going to be 'real programmers'.. Hey, for that matter, what was so wrong with assembly language? ;-) - John = Now it's over, I'm dead, and I haven't done anything that I want; or, I'm still alive, and there's nothing I want to do. - They Might Be Giants, http://www.tmbg.com __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: HTML in E-mail
--- David T-G [EMAIL PROTECTED] wrote: Scot, et al -- ...and then Scot Robnett said... % % I don't personally share the 'HTML e-mail is evil' philosophy. And even if ... snip ... (if, in fact, he hasn't solved this already; Camilo's email intimated that he had, which means we're pursuing the ultimate beating of a dead horse here :-) If I may be allowed to beat the poor dead horse a little more, and at the risk of reviving this thread, but playing devil's advocate because, after all, this *is* a beginners' list: Why is HTML mail evil? (If you believe it is.) Because it can be so easily hacked? That's a big reason, but are there others I don't know about? I can imagine average Joe User saying But of *course* I want to be able to format my email with 10 different font faces, sizes, and colors. Plain text is for geeks. Is maybe Rich Text Format the real answer? - John = Now it's over, I'm dead, and I haven't done anything that I want; or, I'm still alive, and there's nothing I want to do. - They Might Be Giants, http://www.tmbg.com __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Insertion of table causes syntax error-message
--- Richard Krause [EMAIL PROTECTED] wrote:
I found out what the problem is. If you write
$q-table({-border=undef},
#caption('When Should You Eat Your
Vegetables?'),
... snip ...
instead of
print table({-border=undef},
caption('When Should You Eat Your
Vegetables?'),
... snip ...
it works. Otherwise you get a Undefined subroutine
main::caption called at
... error message.
Is there an explanation for this?
CGI.pm has two different styles, looks like you're
mixing them. Basically, you've got your standard
function style:
use CGI qw/:standard/;
print header, start_html(My page);
or your object-oriented style:
use CGI;
my $q = new CGI; # an object!
print $q-header, $q-start_html(My page);
Completely your choice which you use, but you've got
choose one and stick with it. See perldoc CGI for
details.
- John
=
Now it's over, I'm dead, and I haven't done anything that I want; or, I'm still
alive, and there's nothing I want to do. - They Might Be Giants, http://www.tmbg.com
__
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: CGI/Perl-usertracking
I'm sorry, I don't understand your question very well. Can you give an example? By standard-Perl only, do you mean only using modules that come with Perl? --- Sven [EMAIL PROTECTED] wrote: Hello all! Can anyone give me a hint what I should do? I want to realize a search in the results of a previous search. So I need to name the users (ID) and store/pass the results. 1) How can I do this with standard-Perl only? (main question) 2) What would be the recommended way if no restriction? = When you're following an angel, does it mean you have to throw your body off a building? - They Might Be Giants, http://www.tmbg.com Word of the week: Serendipity, see http://www.bartleby.com/61/93/S0279300.html __ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Mail script not working for Netscape (was real beginner help needed)
Can you post some of the relevant code? (If it's long,
please consider putting it up as an HTML page and just
sending us the URL.)
Not that I'm promising I personally will have time to
look at it or know the answer...
--- Hughes, Andrew [EMAIL PROTECTED]
wrote:
I need help. I inherited this script that adds
people to a text file for
our mailing list. It works in Explorer. However,
it does not work in
Netscape. Valid email addresses are blocked and the
subroutine dienice is
called in Netscape. It is pretty short and simple.
I do not have time to
rewrite it right now. Could anyone make any
suggestions?
Thanks in advance,
Andrew
#!/usr/bin/perl
print Content-type:text/html\n\n;
read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
@pairs = split (//, $buffer);
foreach $pair (@pairs) {
($name, $value) = split(/=/, $pair);
$value =~ tr/+/ /;
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack(C,
hex($l))/eg;
$FORM{$name} = $value;
}
chdir '../../discounts/ia/';
$DESTINATION=http://www.website.com/eclub_thankyou.adp;;
$f_name=$FORM{'f_name'};
$l_name=$FORM{'l_name'};
$company=$FORM{'company'};
$email=$FORM{'email'};
$us_state=$FORM{'us_state'};
$birth_month=$FORM{'birth_month'};
$birth_year=$FORM{'birth_year'};
$country=$FORM{'country'};
$salary=$FORM{'salary'};
$home=$FORM{'home'};
$clothing=$FORM{'clothing'};
$jewelry=$FORM{'jewelry'};
$air=$FORM{'air'};
$food=$FORM{'food'};
$hotel=$FORM{'hotel'};
$entertainment=$FORM{'entertainment'};
$auto=$FORM{'auto'};
$household=$FORM{'household'};
$electronic=$FORM{'electronic'};
$vacation=$FORM{'vacation'};
$tm = time;
$now = localtime($tm);
if ($FORM{'email'} !~ /[\w\-]+\@[\w\-]+\.[\w\-]+/) {
dienice(Please enter a valid email address);
}
open(OUTF,eclub.xls);
flock(OUTF,2);
seek(OUTF,0,2);
print OUTF
$f_name\t$l_name\t$company\t$email\t$us_state\t$birth_month\t$birth_year\t$
country\t$salary\t$home\t$clothing\t$jewelry\t$air\t$food\t$hotel\t$entertai
nment\t$auto\t$household\t$electronic\t$vacation\t$now\n;
close(OUTF);
print EndHTML;
HEAD
meta http-equiv=Refresh content=0;
URL=$DESTINATION
/HEAD
EndHTML
sub dienice {
my($msg) = @_;
print h2Error/h2\n;
print $msg;
exit;
}
--
To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
=
When you're following an angel, does it mean you have to throw your body off a
building? - They Might Be Giants, http://www.tmbg.com
Word of the week: Serendipity, see http://www.bartleby.com/61/93/S0279300.html
__
Do You Yahoo!?
LAUNCH - Your Yahoo! Music Experience
http://launch.yahoo.com
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Translating newlines to HTML paragraphs
--- Matthew Weier O'Phinney
[EMAIL PROTECTED] wrote:
I've gone through and read all the other posts in
reply to this, and they
all seem to ignore a very simple solution.
First: strip off the \r\n:
s/\r\n/\n/sg
Then look for the pattern \n\n (which would indicate
the existence of an
empty line. For example: Some paragraph text\n\nA
I've got my solution, it's something like yours, and
it works fine. The main difference was I explicitely
used \x0d and \x0a because I wasn't sure if \n and \r
were defined to the same ASCII codes on all platforms.
Any double newlines I assume the user meant a
paragraph, any single ones just a line break.
Here's the code I finally used (embedded tags, sorry
if code wraps in ugly places due to this silly Yahoo
editor):
sub NL2HTML {
$_ = shift;
s/\x0d\x0a/\x0d/g;# Strip LF out of
CR/LF combinations (Convert DOS - *nix)
s/\x0d{2}|\x0a{2}/\/pp/g; # Replace double CR
or LF with paragraph break
s/\x0d|\x0a/br/g; # Replace single CR
or LF with line break
return p$_/p; # Wrap whole thing in
outside p/p
}
=
When you're following an angel, does it mean you have to throw your body off a
building? - They Might Be Giants, http://www.tmbg.com
Word of the week: Serendipity, see http://www.bartleby.com/61/93/S0279300.html
__
Do You Yahoo!?
LAUNCH - Your Yahoo! Music Experience
http://launch.yahoo.com
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: getting those \r\n out -
--- drieux [EMAIL PROTECTED] wrote:
...
http://www.wetware.com/drieux/pbl/cgi/ParseParmsToPara.txt
ciao
drieux
Thanks to all who contributed to this thread. Here's
what I finally ended up using, incorporating several
of your suggestions (HTML tags in code):
my $eol = chr(13) . chr(10); # Test CR/LF
combination
#my $eol = chr(13); # Test CR alone
#my $eol = chr(10); # Test LF alone
my $Text = Para.${eol}Para.${eol}Para.;
if( $Text =~ m/\x0d/ ) {
$Text =~ s/\x0a//g;
$Text =~ s/\x0d/\/pp/g;
}
else {
$Text =~ s/\x0a/\/pp/g;
}
$Text = p$Text/p;
print $Text;
(Again, this is just my test program. The ultimate
intent is to get the input from a TEXTAREA tag in CGI
POST data, replace the newlines with P tags, and
present it on an HTML page as well as be able
translate it back to the newlines for further editting
in a TEXTAREA.)
This wraps the paragraph begin and end tags around
each paragraph, which is the official way of doing it,
rather than just using the begin tag as I initially
was doing. I could have also just replaced newlines
with BR tags, but again that seemed like cheating.
I coded to allow for all variations of end-of-line,
since despite the post about getting CR/LF on Linux, I
didn't think I could assume this would always be the
case. I couldn't find the issue addressed at all on
the official W3 HTML 4.01 spec
(http://www.w3.org/TR/html4/interact/forms.html#h-17.7).
In fact, that document didn't even address the WRAP
attribute, maybe that is deprecated or a non-standard
addition? On IRT.ORG
(http://tech.irt.org/articles/js216/index10.htm),
there is a discussion which implies that the character
may indeed vary between operating systems. Did they
test this before printing it? Maybe, maybe not, but
I'd rather be safe and handle the possibility.
Thanks again to everyone.
- John
=
When you're following an angel, does it mean you have to throw your body off a
building? - They Might Be Giants, http://www.tmbg.com
Word of the week: Serendipity, see http://www.bartleby.com/61/93/S0279300.html
__
Do You Yahoo!?
LAUNCH - Your Yahoo! Music Experience
http://launch.yahoo.com
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Translating newlines to HTML paragraphs
--- drieux [EMAIL PROTECTED] wrote: maybe I am missing something here - but isn't this something you would want to be using say use CGI qw/:standard/; for a specific illustration cf: http://www.wetware.com/drieux/pbl/cgi/basicPagePopper.txt Either you're missing something or I am. I looked at your page, and at the CPAN doc'n for Inline::File (which was new to me), but I don't see how that will help me. The code I included in the message was just my test script for developing the regex, but in reality, I'll be getting the input from a POST parameter originating from a TEXTAREA form tag. So I don't see how that can fit the structure that Inline::File is expecting, i.e. data at the end of the script file. See the immediately prior messages between Jake and I for more about what I'm trying to do. - John = When you're following an angel, does it mean you have to throw your body off a building? - They Might Be Giants, http://www.tmbg.com Word of the week: Serendipity, see http://www.bartleby.com/61/93/S0279300.html __ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: regular expression
I just happened to write exactly this the other day,
as a generic configuration file reader. Here's the
basics:
sub readINI {# argument: filename
my %params;
open( INIFILE, $_[0] )
|| die Could not open $_[0]\n;
while(INIFILE) {
if(! /^#/ ) { # Allow comments
chomp;
$params{$`} = $' if( /=/ );
}
}
return %params;
}
What you get back is a hash of key/value pairs. In
your case, $myhash{name} = 'john', $myhash{id} =
'12345', etc. You can even comment a line out by
putting a # in the first position (or by not having
an = anywhere in the line). The only slightly
obscure thing here is the use of $` and $' to mean
everything before the match and everything after
the match, to save you having to explicitely capture
those sections with parens.
FYI, more detail on your initial question would have
allowed us to cut to the chase faster.
- John
--- ChaoZ Inferno [EMAIL PROTECTED] wrote:
Actually, the content of the file looks something
like:-
name=john
id=12345
password=12345
colour=blue
I am trying to grab the value field of each line and
assigned it to be a
variable.
...
=
When you're following an angel, does it mean you have to throw your body off a
building? - They Might Be Giants, http://www.tmbg.com
Word of the week: Serendipity, see http://www.bartleby.com/61/93/S0279300.html
__
Do You Yahoo!?
LAUNCH - Your Yahoo! Music Experience
http://launch.yahoo.com
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: pass values to another scipt
Secure?? Have you guys been paying attention to the Matt's Script Archive discussion? You can pass along parameters between pages either in the URL or as hidden fields, but NEITHER IS REALLY SECURE!! The hidden fields only stymie the newbies. :-) Anyone could just save the form to their hard drive, modify the hidden field values there, and submit that version. If the server script thinks it need only check the referer variable to get around this, the hacker can submit their modified page with their own client, setting the referer field to whatever they want. True, it's nicer not seeing them in the URL, but it's not that much more secure. I recommend Chapter 8 of O'Reilly's CGI Programming with Perl for a thorough discussion of CGI security issues. - John --- David vd Geer Inhuur tbv IPlib [EMAIL PROTECTED] wrote: Hi Sven, Sorry, I thought you knew that one. But how to proceed if you don't want those ugly/insecure params in your location bar ? ... snip ... input type=hidden name=hide1 value=secure input type=hidden name=hide2 value=very secure ... snip ... = When you're following an angel, does it mean you have to throw your body off a building? - They Might Be Giants, http://www.tmbg.com Word of the week: Serendipity, see http://www.bartleby.com/61/93/S0279300.html __ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: CGI and frames
Okay, I understand now. I guess you *could* do it with one script, although as someone else noted, it is basically separate scripts, called once per page, that just happen to be stored in the same file. Whether you store it in one script or separate is immaterial, IMHO. So, now that we understand, what exactly is not working about it again? :-) --- Sven Bentlage [EMAIL PROTECTED] wrote: Sorry, I chose the wrong words.. my script works similar to the way you described below. Depending on which fields are filled out and which button is pressed, a different subroutine is called, creating the page. = When you're following an angel, does it mean you have to throw your body off a building? - They Might Be Giants, http://www.tmbg.com Word of the week: Serendipity, see http://www.bartleby.com/61/93/S0279300.html __ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Matt Wright's formMail
I must confess I'm not intimately familiar with the
script in question, so I don't completely understand
what the code snippet that drieux included does,
therefore how it is or is not sufficiently secure.
However, I have some more general comments in the way
of clarification.
It seems to me that the *fact* of using the referers
environment variable is not the security risk, but
that relying on it *only* is the risk. My introduction
to this issue was getting publicly flamed on perl
beginners last summer partially for not knowing this.
(Don't worry, the burns healed quickly.) Since then,
I've at least read enough to know that anyone with the
LWP module or any other HTTP API in any language can
build a web client with any referer header they want.
But I would think that means that using referers in
itself is not inherently dangerous, only thinking that
it's doing you any good security-wise is. The danger
that this ignorance makes possible depends on what the
rest of your script does with the input it gets.
Encoding data in the URL - well, all GET parameters
work that way, in the broadest definition of the term
data. The question is, what does the script *do*
with that data? As all good readers of the security
chapter of O'Reilly's CGI Programming with Perl
(among others) will know, the biggest security hole
with user input is when that data is used for input to
a shell process. Is that what Matt's script does? If
so, is the generally approved work-around one of the
two fix-ups recommended by that book: (1) filter the
input string to disallow bad characters such as
shell escapes, or better yet, (2) use a combination of
fork and exec rather simply opening a pipe to a
process? How does the NMS replacement code handle
this, and what do you all do in similar cases?
- John
--- drieux [EMAIL PROTECTED] wrote:
On Monday, May 13, 2002, at 09:21 , Camilo Gonzalez
wrote:
[..]
The problems seem to be that it uses the Referer
environmental variable to
exclude spammers and it gives the option of
encoding data in the URL. I've
been told both are considered security risks. My
ISP does not think even
the
latest release addresses these issues and refuses
to let Formmail on its
servers.
[..]
in the main I have heard the same things - I can
appreciate that
ISP's are at liberty to do as they will - I was just
trying to
track down my exposure - given as our ISP is running
v1.92
it could be that if one's ISP is doing a lot of
virtual hosting
then the simplification of
@referers = ('wetware.com','199.108.16.17');
could get messy hence the following guard code:
sub check_url {
# Localize the check_referer flag which
determines if user is
valid.local($check_referer) = 0;
# If a referring URL was specified, for each
valid referer, make sure
#
# that a valid referring URL was passed to
FormMail.
#
if ($ENV{'HTTP_REFERER'}) {
foreach $referer (@referers) {
if ($ENV{'HTTP_REFERER'} =~
m|https?://([^/]*)$referer|i) {
$check_referer = 1;
last;
}
}
} else { $check_referer = 1; }
# If the HTTP_REFERER was invalid, send back
an
error.if ($check_referer != 1)
{ error('bad_referer') }
}
is not sufficiently robust enough
where that code is preventing spamming is with:
@recipients = fill_recipients(@referers);
sub fill_recipients {
local(@domains) = @_;
local($domain,@return_recips);
foreach $domain (@domains) {
if ($domain =~ /^\d+\.\d+\.\d+\.\d+$/) {
$domain =~ s/\./\\\./g;
push(@return_recips,'^[\w\-\.]+\@\[' .
$domain . '\]');
} else {
$domain =~ s/\./\\\./g;
$domain =~ s/\-/\\\-/g;
push(@return_recips,'^[\w\-\.]+\@' .
$domain);
}
}
return @return_recips;
}
and I have tested this anti-spam piece - and the
only thing that survives is aimed where it is
suppose to go.
As for 'using old perl' - I'm not sure that is an
'issue'? is it?
since this is running in a 5.6 environment.
or am I missing something here???
ciao
drieux
---
--
To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
=
When you're following an angel, does it mean you have to throw your body off a
building? - They Might Be Giants, http://www.tmbg.com
Word of the week: Serendipity, see http://www.bartleby.com/61/93/S0279300.html
__
Do You Yahoo!?
LAUNCH - Your Yahoo! Music Experience
http://launch.yahoo.com
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: CGI and frames
If you mean can a CGI script output both the frameset and all of its pages simultaneously, I don't see how. What you can do is have each frame call a CGI script for its content, and have another to generate the frameset. Each script then outputs its own HTML as normal. If this doesn't address your issue, I think we'll need a little more detail. - John --- Sven Bentlage [EMAIL PROTECTED] wrote: Hi ! Right now I'm using a cgi-script to create a few html pages. Somewhere I read the I also can create framesets plus the dependent html pages via a CGI script. Where can I find a manual on how to do that? Or can anybody tell me? Thanks for your help. Sven -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] = When you're following an angel, does it mean you have to throw your body off a building? - They Might Be Giants, http://www.tmbg.com Word of the week: Serendipity, see http://www.bartleby.com/61/93/S0279300.html __ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
(OT) Re: Accessing form elements before submit..
To expand a bit from a more general persective: The important distinction here is what is client-side and what is server-side. HTTP is a request/response protocol. So the interaction looks like this: 1) User (Client) requests page where your form is 2) Server delivers that page 3) User fills out the form 4) User submits the form, resulting in another request 5) Server processes that request and delivers another response What it sounds like you are looking for is something to allow the client browser to make some decisions during step 3, while the user is filling out the form. Since the last server response has completed (the page was successfully delivered), and the next won't start until the user submits, the client is on its own, and no server-side technology (Perl or whatever) can help at that point. You need a client-side technology. That's JavaScript. (Not to be confused with Java, which is an entirely separate language and is on the server side.) By the way, if you happen to look at Microsoft's support side, you'll see references to JScript, which is IE's implementation of JavaScript (although JavaScript works in IE too). IE also supports VBScript (similar syntax to Visual Basic) on the client. But of course browser-dependent technology is a big no-no unless you are programming for internal people only whom you can assume have a company-standard browser. A short JavaScript intro: If you have a form named myForm with a text input called myInput, inside an HTML script tag you can refer to the value in this form as document.myForm.myInput.value. You can use this value to assign to JavaScript variables or to other fields on the form, possibly hidden ones. That sounds like the sort of thing you're wanting to do. There are many good JavaScript references on-line to help you learn. - John --- David vd Geer Inhuur tbv IPlib [EMAIL PROTECTED] wrote: Hi Onkar, Yes there is a solution, Javascript :) Maybe you'dd take a look at : http://codepunk.hardwar.org.uk/bjs.htm Believe me, it's easier than you think. Good luck. David __ Do You Yahoo!? Yahoo! Health - your guide to health and wellness http://health.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
(OT) RE: Matching string (here I am again)
Okay, what's the [2] doing? It appears to be saying to
match \d exactly two times, but I thought that would
be {2} instead. But changing your [] to {} leads to
the same problem as the original expression.
You probably know, Camilo, but since you didn't say,
let me guess at why Rafael's original RE did not work.
The problem seemed to be the use of * (zero or more)
when + (one or more) was probably meant. So the
original RE was asking if there are any ocurrences of
*ZERO OR MORE* characters followed by two digits and
the string .html. The answer is yes, the substring
01.html of djavan001.html fits that criteria, as
it is ZERO characters followed by two digits, etc.
Changing the * to a + makes his original RE work
as intended, so there has to be at least one
character. This also prevents something like 99.html
from matching, which I'm assuming from his description
is also desired.
--- Camilo Gonzalez [EMAIL PROTECTED]
wrote:
Try /[a-z]*\d[2]/
-Original Message-
From: Rafael Cotta [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 07, 2002 12:16 PM
To: [EMAIL PROTECTED]
Subject: Matching string (here I am again)
First of all, special thanks to Drieux.
I need to check if a string with the following
patern:
lowercase charactersnumbernumber.html
Like cae01.html or djavan10.html (without
quotes).
I tryied
$musica =~ /([a-z]*)[0-9][0-9]\.html/
but this matches djavan001.html, when this should
not.
Wich regexpr can I use? This time a link to a howto
will be very welcome,
once this is not the unique regexpr I'll need to
build myself.
Rafael
__
Do You Yahoo!?
Yahoo! Health - your guide to health and wellness
http://health.yahoo.com
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSI
I haven't used SSI a lot, but my understanding, borne out by my experience so far, is as follows. The SSI simply pulls in the content from the included file or command and inserts it at the place you did the insert. So whatever HTML you would have put there without doing SSI, is what goes in the included file. Nothing more or less. Just a plain textual substitution. --- Mat Harrison [EMAIL PROTECTED] wrote: if i have an html document and I include a CGI script to display some html do I have to have html and body tags in the include of can it insert the body into that of the html doc? __ Do You Yahoo!? Yahoo! Health - your guide to health and wellness http://health.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: I can't get this to run!
--- drieux [EMAIL PROTECTED] wrote: On Saturday, April 27, 2002, at 05:32 , Alex Swavely wrote: This was exactly the problem. Not having dos2unix installed, I just zipped it and then ran unzip with the -a option (convert files) and it worked smashingly. now that is probably the one trick I haven't seen anyone yet raise as the work around the real irony in all of this - that I just learned yesterday is that if people did the decent bit #!/usr/bin/perl -w use strict; then whether it is dos or unix formatted - it will still work How do you mean it will still work? Doesn't -w and use strict just make Perl more picky about what it will accept and raise its complaint level? How would this impact how it interprets line ends? On a related note, some of your better text editors will also have an end-of-line conversion utility built in. I use Ultra-Edit (Windows), and can convert in any direction between DOS, Unix, and Mac. Ultra-Edit also has built-in FTP, so you can pull a file via FTP right into your editing window, and subsequent saves will FTP it right back. Finally, you can also set Unix permissions in the FTP Save dialog. All this together allows me to easily develop my scripts on my local Windows machine, run them with output captured to another window, convert their end-of-lines, FTP them to my ISP, and set the permissions, all from within the comforts of the editor. Disclaimer: I have no connection to Ultra-Edit other than satisfied registered customer. This promo was prompted only by the earlier discussion of end-of-line characters. - John __ Do You Yahoo!? Yahoo! Health - your guide to health and wellness http://health.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: http headers
Most recent editions of Perl come with the CGI module, which is what you want. Type perldoc CGI at your friendly neighborhood command prompt. The O'Reilly book CGI Programming with Perl has a good overview, as do no doubt countless other books. The basic steps are: use CGI; my $cgi = new CGI; # Optional O-O interface print $cgi-header, $cgi-start_html(My Page); print $cgi-param(foo); # print value of foo param print $cgi-end_html; Note that you can also use it to output the HTML response, although you don't have to. More details in documentation. - John --- Conan Chai [EMAIL PROTECTED] wrote: hi, are there any perl modules that splits the http request headers into name/value pairs? Conan It Will Come To Us !!! [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Games - play chess, backgammon, pool and more http://games.yahoo.com/ -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Write permissions and other rights
--- Todd Wade [EMAIL PROTECTED] wrote: ... anyone anything. My proof? perl.beginners and perl.beginners.cgi is a place where its pc to ask frequently asked questions. Over and over. Is there a FAQ document for this list? I just re-read my list welcome message and didn't see any reference to one. I was on perl.beginners for a while (too much volume) and I *think* they had one. Whichever list it was, the list admin would send out a canned reminder about it every few days, and it was probably mentioned in the welcome message. Granted we'd still get FAQ's on the list, but maybe fewer, and the poster could just be pointed to the FAQ document rather than someone writing out the whole explanation every time. If we are concerned about having just one-sentence answers, which Todd rightly suggests is not really educational, then let's make it have as much explanation as we can, so that people *do* learn from it. Having made the suggestion, I now must take a giant step backwards and plead no time to put such a thing together myself. That and I'm probably still too much of a beginner. At least let's point out that the archives of this list are available online at http://archive.develooper.com/beginners-cgi%40perl.org/, so if you think your question may have been asked and answered before, look through the archives! (Unfortunately, they don't appear to be text searchable, but Google probably indexes them.) There is a complete list of Perl-related lists at http://lists.perl.org/. (Yes, I understand the permissions question was not really a Perl-only question, but it *is* related to CGI, and could have been asked before.) - John __ Do You Yahoo!? Yahoo! Games - play chess, backgammon, pool and more http://games.yahoo.com/ -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: A super huge form.
Connie, From a technical point of view, I think that if you submit via post you are not limited in size. If you submit via get, it adds it all to the URL in the form of http://yourdomain/yourscript.pl?param1=fooparam2=bar; etc. and you are limited to about ~2K total length (depending on the browser client). So you definately need POST if you are going to do it all on one page. From a user interface point of view, however, I would definately consider splitting this up over multiple pages. I think users would easily get overwhelmed faced with such a long form. I imagine that it is probably already grouped into sections, so it would be logical to start by making each section its own page. Maybe some sections are optional, or only need to be filled out if certain prior answers are given? If so, why burden the user with even seeing such sections if they are not to be relevant to that user? I haven't done this myself, but here is one way I imagine you could do it. Your first page, say, start.html, has a Continue button which would submit to submit1.pl, and that process will output the second page, with all of the first page's answers contained in hidden fields. The second page will submit to submit2.pl (or they could all submit to the same script which could figure out which page it's currently processing), which would then output the third page with the first two pages' answers in hidden fields. Etc. until the last page, when it has all the answers and can finally take the action you want. It could get a little tricky if you want to allow users to go back to previous pages, or branch conditionally based on answers they've already given, but do-able. What would be really spiffy is if you wrote something generic enough to be easily re-usable, and could share it with the rest of us! (For that matter, maybe someone's already done this. Check CPAN to find out.) Finally, as someone else asked, why not use CGI.pm? I was initially turned off to it by reading that it had a reputation for being bloated, and at first the HTML output commands struck me as really ugly and unnecessary. But I'm starting to use it more now, for the following reasons. (1) you don't have to use the HTML output commands if you don't want to; (2) it's so easy to get your parameters, and the Perl community consensus seems to be that CGI.pm is the safest and most reliable way to do that, so why re-invent the wheel (especially an inferior one)? (3) You automatically get it with the latest versions of Perl, so you don't even have to find it and install it yourself, you've likely already got it! - John --- Connie Chan [EMAIL PROTECTED] wrote: Hi all, would anybody know how to handle a form with about 6000 around data field ? and if there any max size for data submit through CGI ? Anyway, I don't want to use cgi.pm. Thank you for any hints and advise =) Connie __ Do You Yahoo!? Yahoo! Games - play chess, backgammon, pool and more http://games.yahoo.com/ -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Some Newbie Questions :-)
(Sorry for the duplicate, Jamie, forgot to forward to the list!) --- Jamie [EMAIL PROTECTED] wrote: ... 2) Should i use text files for my data or dive straight into something like MySQL? I'll propably need the SQL stuff later on, but is there any general rule as regards to size/ number of lines/records? ... I've just gone through a similar decision process. It depends entirely on your situation. Some questions you need to consider are: 1) What tools does my platform support? 2) How much data do I have now, and how fast will it grow? 3) How many users do I envision, both concurrent (for record locking, etc.) and total (when security gets more important)? I would definately recommend some kind of SQL database solution for most commercial, and certainly enterprise-wide, applications. I've heard good things about mySQL, but not used it. At the high end, Oracle is one of the most solid there is. I can't quote any exact quantitative recommendations, but I personally wouldn't consider text files for anything bigger than a dozen files of maybe a few hundred records in each. For one thing, in any system of any size, ease and efficiency of record selection and sorting becomes very important, and SQL makes these things very easy. There are SQL drivers for text files, but I would still be concerned with how efficient they could be for large amounts of data. At some point, you've got to have indexes. On the other extreme, there are cases where a SQL database may be overkill. One of my personal projects is a very basic content management system for non-profits and small businesses, tailored to outfits with modest sites virtual-hosted by third-party ISPs and with up to 1/2 dozen content managers, maybe volunteers. I needed to find a storage mechanism that would be easily supported by most ISPs. Some IPSs support mySQL, but not all, and I wanted to be as compatible as possible. (I selected Perl as a language due to its almost universal support by ISPs.) I seriously considered XML storage, but decided that my own learning curve in using it would be too steep for the timetable I wanted to meet, and Perl-based XML tools seem to be in limited supply. So I settled on text CSV files. For my needs, this seemed to make sense. The AnyData::CSV (see CPAN) module supports record selection from CSV's, and I implemented a multi-level sort just using Perl's sort function. (I think it also has a DBI interface option, which I have not investigated.) So those are some considerations for you. In the end, it depends on your situation and it's a judgement call. - John __ Do You Yahoo!? Yahoo! Games - play chess, backgammon, pool and more http://games.yahoo.com/ -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Parsing variables and HTML
P Daniel,
P dir=ltr style=MARGIN-RIGHT: 0pxnbsp;nbsp; I'm
assuming you mean that you want your three crud
parameters passed through, in which case, your
intuition at the end of your message is correct.
Remember that HTTP is by default stateless, meaning
that when the form that was output by first() is
submitted, your script has no memory that is was ever
run before. It only knows what was in the latest
request. So you need to include more hidden fields in
your form in order to preserve them between
invocations of the
script:BRnbsp;nbsp;nbsp;BRlt;input
type=hidden value=$crud1
name=crud1gt;BRlt;input type=hidden
value=$crud2 name=crud2gt;BRlt;input
type=hidden value=$crud3 name=crud3gt;/P
PNote that by default, $variables expand in Here
documents the same as innbsp;double-quoted
literals.nbsp;nbsp; /P
P- JohnBR/P
Pnbsp; BIDaniel Falkenberg
lt;[EMAIL PROTECTED]gt;/I/B wrote:
BLOCKQUOTE style=PADDING-LEFT: 5px; MARGIN-LEFT:
5px; BORDER-LEFT: #1010ff 2px solidHello
All,BRBRI am having a little bit of trouble with
HTML and perl. I want to beBRable to parse variable
from some HTML code where a user hits a
submitBRbutton and the data they entered from that
from should be parsed to theBRnext sub. At the
moment I am using the following code...BRBR$action
= param(action);BR$crud1 =
param(crud1);BR$crud2 = param(crud2);BR$crud3
= param(crud3);BRBRif ($action =~ /first/)
{first();}BRelsif ($action =~ /second_sub/)
{second_sub();}BRelse{ first();}BRBRsub first
{BRBRprintlt;HTML;BR
FORMBR#User enters data in some text boxes
here...BRINPUT type=hidden value=second_sub
name=actionBRINPUT type=image
src=http://us.f144.mail.yahoo.com/ym/images/submit.gif;BR/FORMBRBRHTMLBRBR}BRBR#
Script is now taken to second_sub();BRBRsub
second_sub {BRBRprint $crud1, $crud2,
$crud3;BRBR}BRBR but for some reason the
the data from first() is not being placedBRinto
second_sub(); Should I be adding some more hidden HTML
tags in theBRfirst(); sub?BRBRAny help on this
would be greatly appricated.BRBRRegards,BRBRDan/BLOCKQUOTE
__
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://taxes.yahoo.com/
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Perl CGI with ISP - advice?
Hi, I'm writing a Perl-based system to allow simple site content management through web forms. I'm a relative beginner to both Perl and CGI, although I have much experience with C, Visual Basic, and relational database programming. The system I'm writing is targeted to non-profits and small businesses, the kinds of outfits which typically will have sites hosted by an ISP, not on their own hardware with their own people to administer it. So my software will need to be (1) small, and (2) installable to a virtual domain cgi-bin path by FTP with normal owner permissions, not system admin and/or shell access. I've found that this cuts down on available technology quite dramatically. One hesitation I have is that most Perl modules assume that you can run an install procedure to install the module in your system. If an outfit has only FTP access to its virtual domain, not shell access or sysadm privilege, the only thing you can do is copy the module's files over from some other place you've installed them (such as my PC's hard drive). This seems to be working with two of the modules I've used so far (HTML::Template and AnyData::CSV), but I'm hesitant to rely too much on a lot of them. Obviously, you run a risk if a module has platform-specific functionality. I'm particularly shy of CGI.pm, both due to size and also uncertainty of if it can be installed by a simple file copy. I'd appreciate any advice anyone could give on the difficulties I might encounter in this endeavor, in particular module size and ability to install on an ISP-hosted virtual domain by FTP alone. Should I be convincing the ISP to install the modules in their /site/lib instead, rather than us putting them in our virtual domain? Is CGI.pm recommended in this situation? Any other issues you would foresee me having? (I already know I'll have to think through security at some point.) Thanks in advance for any replies. - John Brooking - Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax
