CGI/Perl Guide | Learning Center | Forums | Advertise | Login
Site Search: in

  Main Index MAIN
INDEX
Search Posts SEARCH
POSTS
Who's Online WHO'S
ONLINE
Log in LOG
IN

Home: Perl Programming Help: Beginner:
Substituting Characters with underscore

 



Melissa
Deleted

Feb 14, 2000, 12:39 PM

Post #1 of 6 (481 views)
Substituting Characters with underscore Can't Post

I just can't get this to work.... the cgi/perl script is supposed to read the input from a form, check for characters that aren't part of the "ok" list and change it to an underscore. I've tried using three different versions of doing this, some of them just stripping out the special characters and I can't get that to work either. I'm willing to post the entire script here if someone's willing to help me.

It's doing something, but it's stripping out all the characters!!

The part I'm working on is this:
sub get_form_data {
# This function grabs the information from the browser and
# crams it into a $fields associated array.

# get env variable/store to @prompts array
read(STDIN, $save_string, $ENV{CONTENT_LENGTH});
$_=$save_string = $ENV{'QUERY_STRING'};
print "$save_string\n";
$OK_CHARS='-a-zA-Z0-9_.@';
s/[^$OK_CHARS]/_/g;
$save_string = $_;
print "$save_string\n";
@prompts = split(/&/,$save_string);

# step through each variable, clean up the garbage, and store
# it to the @fields variable.
foreach (@prompts) {
($tmp1, $tmp2) = split(/=/,$_);

$tmp2 =~ s/%2C/\x2c/g;
$tmp2 =~ s/%28/\x28/g;
$tmp2 =~ s/%29/\x29/g;
$tmp2 =~ s/%3A/:/g; #cnvrt 3A to colon
$tmp2 =~ s/%40/\@/g; #at symbol
$fields{$tmp1} = &remove_escape_codes($tmp2);

}

} #end get_form_data



perlkid
stranger

Feb 15, 2000, 2:22 PM

Post #2 of 6 (481 views)
Re: Substituting Characters with underscore [In reply to] Can't Post

  
Depending on what you want to do with the data from the forms I might be able to help you. What are your trying to use the data for.


Cure
User

Feb 15, 2000, 5:45 PM

Post #3 of 6 (481 views)
Re: Substituting Characters with underscore [In reply to] Can't Post

hi

This unerror-checked line assumes a POST interaction.

$_=$save_string = $ENV{'QUERY_STRING'};

This line assumes a GET interaction.

I Would Use CGI.pm.

Cure


Melissa
Deleted

Feb 16, 2000, 8:29 AM

Post #4 of 6 (481 views)
Re: Substituting Characters with underscore [In reply to] Can't Post

I had some luck yesterday!!! I hope this helps someone, OR someone corrects me and gets me on the right track!!! I'm not sure what I did was the best approach.

To answer perlkid, I'm using the data from the browser/form to send a couple of emails/alerts to people who need to know of a conference registration and at the same time putting the information into a database so that it can be retrieved if they need it for a report. BUT the third thing I'm doing, which is most important, is that I'm taking just two fields and redisplaying them to the browser, effectively using dynamic HTML.
Because of the malicious code that can be submitted, I'm trying to change the characters that can be used in the code to something like a hyphen or underscore or something that will be ignored. Or, strip them out. Same thing with words like script, applet, etc.

To answer Cure, this is a CGI script that uses perl inside it. What is CGI.pm??? (I'll be looking that up while I look stupid here)

What I did yesterday that was successful was put some substitution lines in another subroutine, remove_escape_codes and it works well just changing special characters to hyphens.

BUT I'm having a problem with the email field because the information from the remove_escape_codes isn't passed to the fields('email'). Does anyone know how to explain to me how to do that???

Here's the majority of the script, including the main part where the emailpush is.
--------------------------
#!/usr/bin/perl
#
# Main
#
{
&init;

&show_standard_html_heading;

&get_form_data;

&check_form;

if ($incomplete_form eq FALSE) {

&store_form;

# Include user's email in e-mail list.
if ($fields{'email'}) {
push(@mail_user, $fields{'email'});
}

&send_email;

&notify_sender;

}

else {
&redisplay_page;

}

&show_standard_html_ending;
}

#
# End of Main
#


sub get_form_data {
# This function grabs the information from the browser and
# crams it into a $fields associated array.

# get the env variable and store it to the @prompts array
read(STDIN, $save_string, $ENV{CONTENT_LENGTH});
@prompts = split(/&/,$save_string);

# step through each variable, clean up the garbage, and store
# it to the @fields variable.
foreach (@prompts) {
($tmp1, $tmp2) = split(/=/,$_);

$tmp2 =~ s/\x2b/\x20/g;
$tmp2 =~ s/%2C/\x2c/g;
$tmp2 =~ s/%28/\x28/g;
$tmp2 =~ s/%29/\x29/g;
$tmp2 =~ s/%3A/:/g; #convert 3A to colon
$tmp2 =~ s/%40/\@/g; #at symbol

$fields{$tmp1} = &remove_escape_codes($tmp2);

}

} #end get_form_data

--------------------
snippet, just HTML stuff I don't think you want to see
--------------------
sub init {
$server_root = "/usr/netscape/suitespot/https-server/logs/";

# Push to as many users as necessary.
push(@mail_user, "realuser\@domain.com");


$registration_file = $server_root."registration.db";

$date_string = &get_date;

$incomplete_form = FALSE;

} #end init


sub check_form {

if (($fields{'email'} eq "") | |
(!($fields{'email'} =~ /.+@.+/))) {
$missing_email = TRUE;
$incomplete_form = TRUE;
}

if (($fields{'conference'} eq "")
and ($fields{'tour'} eq "")
and ($fields{'icebreaker'} eq "")
and ($fields{'dinner'} eq "")
and ($fields{'golf'} eq ""))

{

$incomplete_form = TRUE;

}
} # end check_form

--------------------
snippet, just HTML stuff I don't think you want to see and the send-mail stuff
--------------------
sub remove_escape_codes {
# Take out all of the goofy escape codes that
# the server likes to put in.
local($variable, $keep_colon) = @_;
$variable =~ s/\x2b/\x20/g;
$variable =~ s/%2C/\x2c/g;
$variable =~ s/%28/\x28/g; #convert 28 to left paren
$variable =~ s/%29/\)/g; #convert 29 to righ paren
$variable =~ s/%3A/\x3a/g; #convert 3A to colon
$variable =~ s/\+/ /g;
$variable =~ s/%26/\&/g;
$variable =~ s/%27/\'/g;
$variable =~ s/%2F/\//g; # slash (erased)
$variable =~ s/%3F/\?/g; # question mark
$variable =~ s/%21/!/g; # exclamation mark
$variable =~ s/%23/#/g; # pound sign
$variable =~ s/%24/\$/g; # dollar sign
$variable =~ s/%25/\%/g; # percent sign
$variable =~ s/%5E/^/g; # carrot
$variable =~ s/%2B/+/g; # plus
$variable =~ s/%3D/=/g; # equal
$variable =~ s/%7C/\|/g; # pipe
$variable =~ s/%60/\`/g; # aprostrophe
$variable =~ s/%7E/\~/g; # tilde
$variable =~ s/%3C/\</g; # less than symbol
$variable =~ s/%3E/\>/g; # greater than symbol
$variable =~ s/%3B/\;/g; # semi colon
$variable =~ s/%22/\"/g; # quote
$variable =~ s/%5B/[/g; # left bracket
$variable =~ s/%5D/]/g; # right bracket
$variable =~ s/%7B/\{/g; # left brace
$variable =~ s/%7D/\}/g; # right brace
$variable =~ s/%09/\t/g; # tab
$variable =~ s/:/-/g; # colon
$variable =~ s/%0D%0A/\n\t/g; # Carriage Return/Line Feed
$variable =~ s/</-/g; # real character, do not want, substitute hyphen
$variable =~ s/>/-/g; # real character, do not want, substitute hyphen
$variable =~ s/%/-/g; # real character, do not want, substitute hyphen
$variable =~ s/;/-/g; # real character, do not want, substitute hyphen
$variable =~ s/!/-/g; # real character, do not want, substitute hyphen
$variable =~ s/&/-/g; # real character, do not want, substitute hyphen
$variable =~ s/=/-/g; # real character, do not want, substitute hyphen
$variable =~ s/\$/-/g; # real character, do not want, substitute hyphen
$variable =~ s/\+/-/g; # real character, do not want, substitute hyphen
$variable =~ s/\[/-/g; # real character, do not want, substitute hyphen
$variable =~ s/\]/-/g; # real character, do not want, substitute hyphen
$variable =~ s/\{/-/g; # real character, do not want, substitute hyphen
$variable =~ s/\}/-/g; # real character, do not want, substitute hyphen

return $variable;
}


sub get_date {
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
if ($min < 10) {
$min = "0".$min;
}
if ($sec < 10) {
$sec = "0".$sec;
}

# Increment the month by one because PERL's months
# are in the range of 0..11. Weird, huh?
$mon++;
$year %=100;

$ydate_string = "$year$mon$mday";
$xdate_string = "$mon$mday$year";
$date_string = sprintf("%02d:%02d:%02d %02d/%02d/%02d",$hour,$min,$sec,$mon,$mday,$year);
return $date_string;
return $xdate_string;
} #end get_date

# End of file #


japhy
Enthusiast

Feb 16, 2000, 12:42 PM

Post #5 of 6 (481 views)
Re: Substituting Characters with underscore [In reply to] Can't Post

Oh dear. NO ONE should ever have to work that hard in a Perl program.

First, to do URI encoding (or decoding), use the URI::Encode module:

<BLOCKQUOTE><font size="1" face="Arial,Helvetica,sans serif">code:</font><HR>


use URI::Encode;
$safe = uri_encode("what's up, doc?");
$literal = uri_unencode($safe);
</pre><HR></BLOCKQUOTE>

Second, the CGI module takes care of the URI encoding and decoding, as well as properly handling a CGI query.

<BLOCKQUOTE><font size="1" face="Arial,Helvetica,sans serif">code:</font><HR>


use CGI;
$q = new CGI;

$some_value = $q->param('first_name');
...
</pre><HR></BLOCKQUOTE>

CGI.pm is standard with recent versions of Perl. It should be used.


Melissa
Deleted

Feb 16, 2000, 1:05 PM

Post #6 of 6 (481 views)
Re: Substituting Characters with underscore [In reply to] Can't Post

japhy,
Someone else mentioned that ... but I have to read up more on the information to see how it works. At this point, I don't even know where the codes you gave me would go. (the CGI.pm itself, or the cgi script)

Will the result be the same if we're looking for malicious code?
The articles put out by Cert and Apache, etc., don't mention it.
I've done other rewrites in the meantime, much cleaner. It ignores certain words, too.
Wanna see???

 
 


Search for (options) Powered by Gossamer Forum v.1.2.0

Web Applications & Managed Hosting Powered by Gossamer Threads
Visit our Mailing List Archives