CGI/Perl Guide | Learning Center | Forums | Advertise | Login
Site Search: in

  Main Index MAIN
INDEX
Search Posts SEARCH
POSTS
Who's Online WHO'S
ONLINE
Log in LOG
IN

Home: Perl Programming Help: Advanced:
Ask the experts

 



razman
Novice

Mar 26, 2009, 7:25 PM

Post #1 of 16 (6369 views)
Ask the experts Can't Post

I am not the expert. I am hopeful that you are.

Flatfile perl database script that permits image uploads. As a security feature, the size of the upload is limited. As a security feature, the file name is changed.

This script worked perfectly, until the customer upgraded to IE8.

Subsequent removal of IE8 and a reinstall of IE7 did not correct the problem.

Here's what happens: An image is selected for upload via this HTML code:

Image Upload: <input type=FILE name="Image_Upload">

When the image is uploaded, the file name is changed to a grabbed time stamp. For instance, image_name.jpg becomes 1238174954.jpg

That newly named image is then stored in an image folder.

That newly named image is also assigned to the variable $Image_Upload

print OUTFILE $buffer;}
close(OUTFILE);

$Image_Uploadchecksize=-s "$Imageuploadpath$tstamp.$extension";
if ($Image_Uploadchecksize<5){
$problem="Unable to upload the image in field $Image_Upload. Your server configuration may not be
compatible with this feature or your browser was not able to find the file that you pointed it to.";
$imageerror=1;
}

if ($imageerror){
unlink("$Imageuploadpath$tstamp.$extension");
&security;}
$Image_Upload="$tstamp.$extension";
}

At some point the $Image_Upload is written to the data record.

After the IE8 upgrade, here's what happens:

1. The newly named image is properly stored in the server's image folder.

2. The $Image_Upload variable is NOT changed in the data record.

3. As a result, the script looks for the unchanged image name, which, of course, does not exist.

After many, many hours of trying to understand what's happening, I come to you. By the way, other machines that remained as IE7 machines still work this script perfectly. Only the machine that was upgraded fails (even though the IE8 was removed and IE7 reinstalled.)

Anyone?


FishMonger
Veteran / Moderator

Mar 26, 2009, 7:56 PM

Post #2 of 16 (6368 views)
Re: [razman] Ask the experts [In reply to] Can't Post

Your description of the process seems to jump around and is incomplete, as are your code snippets.

Can you post the entire script?


KevinR
Veteran


Mar 26, 2009, 8:29 PM

Post #3 of 16 (6365 views)
Re: [razman] Ask the experts [In reply to] Can't Post

Sounds like a bug in IE8, that would have nothing to do with the cgi script. I would check the MS website for known bugs when uploading files.
-------------------------------------------------


razman
Novice

Mar 26, 2009, 9:11 PM

Post #4 of 16 (6363 views)
Re: [KevinR] Ask the experts [In reply to] Can't Post

Google is awash with IE8 issues. I am unable to make any headway in determining what is the genesis of the problem. There is much talk about how IE8 is the ultimate in compliance. I guess I am trying to determine what variable element is not uploading properly. The script checks for a permitted extension, specifically .jpg .gif .png. The script checks for a non-permitted extension, such as .exe or .cgi. The script checks for the existence of an image 'browsed' to by examining a minimum file size. The script checks for the size of the file and compares it against a maximum file size. I suspect that IE8 is misleading the perl script by providing something totally unexpected in one of the above variable elements. Forgive me for rambling. I am tired. Thanks for your comment.


razman
Novice

Mar 26, 2009, 10:46 PM

Post #5 of 16 (6361 views)
Re: [FishMonger] Ask the experts [In reply to] Can't Post

I've completed additional testing, and I've found that NO image is uploaded into the image folder. In addition, the name of the file is NOT changed. To recap: machine was IE7 and worked fine. Upgraded to IE8 and the script failed. Restored to IE7 and the script still fails.

A different work station that is IE7 and was not upgraded continues to work perfectly.

Additional research on the net shows many problems with IE8 being reported. None specifically matches my problem.

Here is most of the code. I am not a super expert perl programmer. I can muddle around a bit, but I saw no reason to post this in the beginner's area. I hope no one is offended. Thanks for any sense of direction. Rich



if (($Image_Upload=~/\\/ || $Image_Upload=~/\:/ || $checkcontent) && $Image_Upload !~/delete/i){
$containsimageImage_Upload=1;
#Get Unix time. Will constitute file name
if (!$tstamp){
$tstamp=time;}
else{
$tstamp++;}
@splitparts=split(/\./,$Image_Upload);
$parts=@splitparts;
$parts--;
$extension=lc($splitparts[$parts]);
if ($extension!~/gif|jpg|jpeg/i){
$problem="You are attempting to upload a file with an incorrect extension .$splitparts[$parts]. For security reasons, only image files .gif, .jpg, or .jpeg extensions can be uploaded.";
&security;
}
if ($Image_Upload=~/\.cgi|\.pl|\.exe/i){
$problem="You are attempting to upload a file that could be hazardous to the server.
Please make sure that you upload only files with .gif, .jpg, or .jpeg extensions. .pl or
.cgi can't make up any part of the filename you are uploading.";
&security;
}
$Imagemaximum=$Imagemaxz*1024;
$size=-1024;
$problem="Can't write the image to the directory . Make sure that
you have set the permissions for this directory so that it is writeable and that
you have specified a valid directory path.";
open (OUTFILE,">$Imageuploadpath$tstamp.$extension") || &security;
while ($bytesread=read($Image_Upload,$buffer,1024)) {
$size=$size+1024;
if ($size>$Imagemaximum){
$problem="You are attempting to upload a file that is too large. Please decrease
the size of the image and try again.";
close(OUTFILE);
unlink("$Imageuploadpath$tstamp.$extension");
&security;
}

#On Windows servers, uncomment the following line
#binmode(OUTFILE);

print OUTFILE $buffer;}
close(OUTFILE);

$Image_Uploadchecksize=-s "$Imageuploadpath$tstamp.$extension";
if ($Image_Uploadchecksize<5){
$problem="Unable to upload the image in field $Image_Upload. Your server configuration may not be
compatible with this feature or your browser was not able to find the file that you pointed it to.";
$imageerror=1;
}

if ($imageerror){
unlink("$Imageuploadpath$tstamp.$extension");
&security;}
$Image_Upload="$tstamp.$extension";
}

$Image_Uploaddelete=$query->param('Image_Uploadb');
if (!$Image_Upload && $Image_Uploaddelete){
unlink("$Imageuploadpath$Image_Uploaddelete");
}
elsif (!$containsimageImage_Upload && $actiontotake=~/edit/i){
$Image_Upload=$query->param('Image_Uploadbb');}


}

#This is the last line of the script


FishMonger
Veteran / Moderator

Mar 27, 2009, 6:18 AM

Post #6 of 16 (6351 views)
Re: [razman] Ask the experts [In reply to] Can't Post

Please use the code tags when posting blocks of code. The code tags will retain the indentation (assuming you did use indentation).

IE8 may hold some of the culpability, but the main culprit is the script which lacks proper/sufficient error handling.

The first problem I see is that you're not using the strict pragma nor are you using lexical vars and I doubt that you enabled warnings.

I see that you are using the OO interface of the CGi module, which is good, but you're not using the file upload method that it provides. CGI's upload method will help to simplify some of this as well as add additional error handling capabilities.

Why do you initialize $size to a negative number?
$size=-1024;

$size=$size+1024;
would be better written as:
$size += length($buffer);

I assume that the security sub utilizes the $problem var. If so, then $problem should be passed to the sub. For the sake of readability and maintainability, I'd put all of the "problem" strings into a %problem hash and pass the appropriate hash value to the security sub.

e.g.,

Code
%problem = ( 
incorrect_ext => "a long error message",
hazardous_ext => "another long error message",
saving_file => "another long error message",
);

Then, later you do this

if ($Image_Upload=~/\.cgi|\.pl|\.exe/i){
security( $problem{incorrect_ext} );
}

or

open (OUTFILE,">$Imageuploadpath$tstamp.$extension")
|| security( $problem{saving_file} ); # you might consider add $! to the error message.


Most, if not all, of your var names should be changed. When using multiple word var names, separate the names with an underscore to make them more readable. The names of vars and subs should reflect and describe what they do or the data that they hold.

You need to add vertical and horizontal whitespace for readablity/maintainability.


KevinR
Veteran


Mar 27, 2009, 10:12 AM

Post #7 of 16 (6347 views)
Re: [razman] Ask the experts [In reply to] Can't Post

I have a fully functional single file upload script with a tutorial here:

http://bytes.com/topic/perl/insights/672398-how-upload-files-using-cgi-pm-module-perl

You can skip the tutorial and just grab the code, change the variables that need changing (paths to files and such) and give it a try if you want to.

I also posted a mutli-file uplaod script in this thread on another forum:

http://www.codingforums.com/showthread.php?t=160203

Judging by the code you posted I think you might be better served using on of the two over the one you have.
-------------------------------------------------


razman
Novice

Apr 3, 2009, 10:15 PM

Post #8 of 16 (6282 views)
Re: [KevinR] Ask the experts [In reply to] Can't Post

Thanks for the code. I especially enjoyed the tutorial. I commented out a bunch of code within the script I am using. I then applied your coding. At first, it didn't work. Then I found the comment about Linux. Once I applied that code, I was able to upload images onto the server. Mind you, the above took about six hours of trial and error to accomplish. I learned a bunch, and it ended well.

The script I am working with, though, also includes an edit and delete function. Both work... sort of... but the image disappears from the file. I guess that means that my 'commented out' areas are important to the retention of the image in the file.

I have tried to follow the code within my script, and although I understanding more and more, I am still unable to digest it all. In the upload area, the script changes the name of the uploaded file by substituting a unix timestamp in place of the existing file name. That altered file name is what is then uploaded to the server.

The script works perfectly for me at all times. Not so for two other users. The short of it is that: 1. The image is NOT uploaded into the image folder. 2. The image name is NOT changed from that on the local computer. 3. The image name IS stored in the database as the name from the local computer.

So the datafile is written with the unchanged image name, but nothing is uploaded. I would guess that that means that that upload portion of the code is never executed.

Have any clues as to where I should look? I am not against working hard in learning the Perl code, but a push in the right direction could be helpful.

For one of the users all worked well. He updated to Internet Explorer 8 and the image upload stopped working. He restored to the day before the upgrade, and the script once again worked.

By the way, I have Perl v5.8.5 built for i386-linux-thread-multi on the server.

Thanks for everything. Rich


(This post was edited by razman on Apr 3, 2009, 10:20 PM)


razman
Novice

Apr 13, 2009, 11:04 AM

Post #9 of 16 (6047 views)
Re: [FishMonger] Ask the experts [In reply to] Can't Post

FYI: This just in from a frustrated user:

"After an hour and a half online with Microsoft, we discovered you can't upload photos to Web pages on IE8 so we uninstalled IE8 and it's working properly again."


KevinR
Veteran


Apr 13, 2009, 11:22 AM

Post #10 of 16 (6045 views)
Re: [razman] Ask the experts [In reply to] Can't Post

hehehe..... There ya go. IE8 bad, very bad.
-------------------------------------------------


razman
Novice

Apr 17, 2009, 5:59 PM

Post #11 of 16 (5931 views)
Re: [KevinR] Ask the experts [In reply to] Can't Post

As I mentioned in an earlier post, I got your code to work perfectly with IE7.

FYI: your code does not work with Firefox or Opera. Why would that be? Regards, Rich


KevinR
Veteran


Apr 17, 2009, 9:34 PM

Post #12 of 16 (5919 views)
Re: [razman] Ask the experts [In reply to] Can't Post

What happens client side in the browser is out of the control of a server side CGI script. I tested with both those browser and had no problems.
-------------------------------------------------


razman
Novice

Apr 18, 2009, 12:54 AM

Post #13 of 16 (5916 views)
Re: [KevinR] Ask the experts [In reply to] Can't Post

How do browsers of the same make and version have different outcomes client side? Why would your Firefox x.x.x work while my exact Firefox x.x.x not work? This is not a facetious question. I am looking for insight. Thanks, Rich


KevinR
Veteran


Apr 18, 2009, 12:37 PM

Post #14 of 16 (5896 views)
Re: [razman] Ask the experts [In reply to] Can't Post

Broswers have many settings, and there are things like proxy servers and firewalls and networks to consider too. All those things (and maybe more) affect what happens between the client and the server.
-------------------------------------------------


razman
Novice

Apr 21, 2009, 3:32 PM

Post #15 of 16 (5844 views)
Re: [KevinR] Ask the experts [In reply to] Can't Post

I have removed just about everything from the my script, but it still fails in Firefox and Opera. The code continues to work with Internet Explorer 7. In IE7 the image is written to the server's image folder. In Firefox or Opera, it is not. Do you see any issues now? Here is the new snippet:

$upload_filehandle = $query->upload("Image_Upload");

open (UPLOADFILE, ">$Imageuploadpath$tstamp.$extension") || &security;
binmode UPLOADFILE;
while ( <$upload_filehandle> ) {
print UPLOADFILE;
}
close UPLOADFILE;


KevinR
Veteran


Apr 21, 2009, 11:03 PM

Post #16 of 16 (5830 views)
Re: [razman] Ask the experts [In reply to] Can't Post

I see nothing wrong with the code snippet you posted. I don't know why its not working for you.
-------------------------------------------------

 
 


Search for (options) Powered by Gossamer Forum v.1.2.0

Web Applications & Managed Hosting Powered by Gossamer Threads
Visit our Mailing List Archives