Melissa
Deleted
Feb 16, 2000, 8:29 AM
Post #4 of 6
(348 views)
|
|
Re: Substituting Characters with underscore
[In reply to]
|
Can't Post
|
|
I had some luck yesterday!!! I hope this helps someone, OR someone corrects me and gets me on the right track!!! I'm not sure what I did was the best approach.
To answer perlkid, I'm using the data from the browser/form to send a couple of emails/alerts to people who need to know of a conference registration and at the same time putting the information into a database so that it can be retrieved if they need it for a report. BUT the third thing I'm doing, which is most important, is that I'm taking just two fields and redisplaying them to the browser, effectively using dynamic HTML.
Because of the malicious code that can be submitted, I'm trying to change the characters that can be used in the code to something like a hyphen or underscore or something that will be ignored. Or, strip them out. Same thing with words like script, applet, etc.
To answer Cure, this is a CGI script that uses perl inside it. What is CGI.pm??? (I'll be looking that up while I look stupid here)
What I did yesterday that was successful was put some substitution lines in another subroutine, remove_escape_codes and it works well just changing special characters to hyphens.
BUT I'm having a problem with the email field because the information from the remove_escape_codes isn't passed to the fields('email'). Does anyone know how to explain to me how to do that???
Here's the majority of the script, including the main part where the emailpush is.
--------------------------
#!/usr/bin/perl
#
# Main
#
{
&init;
&show_standard_html_heading;
&get_form_data;
&check_form;
if ($incomplete_form eq FALSE) {
&store_form;
# Include user's email in e-mail list.
if ($fields{'email'}) {
push(@mail_user, $fields{'email'});
}
&send_email;
¬ify_sender;
}
else {
&redisplay_page;
}
&show_standard_html_ending;
}
#
# End of Main
#
sub get_form_data {
# This function grabs the information from the browser and
# crams it into a $fields associated array.
# get the env variable and store it to the @prompts array
read(STDIN, $save_string, $ENV{CONTENT_LENGTH});
@prompts = split(/&/,$save_string);
# step through each variable, clean up the garbage, and store
# it to the @fields variable.
foreach (@prompts) {
($tmp1, $tmp2) = split(/=/,$_);
$tmp2 =~ s/\x2b/\x20/g;
$tmp2 =~ s/%2C/\x2c/g;
$tmp2 =~ s/%28/\x28/g;
$tmp2 =~ s/%29/\x29/g;
$tmp2 =~ s/%3A/:/g; #convert 3A to colon
$tmp2 =~ s/%40/\@/g; #at symbol
$fields{$tmp1} = &remove_escape_codes($tmp2);
}
} #end get_form_data
--------------------
snippet, just HTML stuff I don't think you want to see
--------------------
sub init {
$server_root = "/usr/netscape/suitespot/https-server/logs/";
# Push to as many users as necessary.
push(@mail_user, "realuser\@domain.com");
$registration_file = $server_root."registration.db";
$date_string = &get_date;
$incomplete_form = FALSE;
} #end init
sub check_form {
if (($fields{'email'} eq "") | |
(!($fields{'email'} =~ /.+@.+/))) {
$missing_email = TRUE;
$incomplete_form = TRUE;
}
if (($fields{'conference'} eq "")
and ($fields{'tour'} eq "")
and ($fields{'icebreaker'} eq "")
and ($fields{'dinner'} eq "")
and ($fields{'golf'} eq ""))
{
$incomplete_form = TRUE;
}
} # end check_form
--------------------
snippet, just HTML stuff I don't think you want to see and the send-mail stuff
--------------------
sub remove_escape_codes {
# Take out all of the goofy escape codes that
# the server likes to put in.
local($variable, $keep_colon) = @_;
$variable =~ s/\x2b/\x20/g;
$variable =~ s/%2C/\x2c/g;
$variable =~ s/%28/\x28/g; #convert 28 to left paren
$variable =~ s/%29/\)/g; #convert 29 to righ paren
$variable =~ s/%3A/\x3a/g; #convert 3A to colon
$variable =~ s/\+/ /g;
$variable =~ s/%26/\&/g;
$variable =~ s/%27/\'/g;
$variable =~ s/%2F/\//g; # slash (erased)
$variable =~ s/%3F/\?/g; # question mark
$variable =~ s/%21/!/g; # exclamation mark
$variable =~ s/%23/#/g; # pound sign
$variable =~ s/%24/\$/g; # dollar sign
$variable =~ s/%25/\%/g; # percent sign
$variable =~ s/%5E/^/g; # carrot
$variable =~ s/%2B/+/g; # plus
$variable =~ s/%3D/=/g; # equal
$variable =~ s/%7C/\|/g; # pipe
$variable =~ s/%60/\`/g; # aprostrophe
$variable =~ s/%7E/\~/g; # tilde
$variable =~ s/%3C/\</g; # less than symbol
$variable =~ s/%3E/\>/g; # greater than symbol
$variable =~ s/%3B/\;/g; # semi colon
$variable =~ s/%22/\"/g; # quote
$variable =~ s/%5B/[/g; # left bracket
$variable =~ s/%5D/]/g; # right bracket
$variable =~ s/%7B/\{/g; # left brace
$variable =~ s/%7D/\}/g; # right brace
$variable =~ s/%09/\t/g; # tab
$variable =~ s/:/-/g; # colon
$variable =~ s/%0D%0A/\n\t/g; # Carriage Return/Line Feed
$variable =~ s/</-/g; # real character, do not want, substitute hyphen
$variable =~ s/>/-/g; # real character, do not want, substitute hyphen
$variable =~ s/%/-/g; # real character, do not want, substitute hyphen
$variable =~ s/;/-/g; # real character, do not want, substitute hyphen
$variable =~ s/!/-/g; # real character, do not want, substitute hyphen
$variable =~ s/&/-/g; # real character, do not want, substitute hyphen
$variable =~ s/=/-/g; # real character, do not want, substitute hyphen
$variable =~ s/\$/-/g; # real character, do not want, substitute hyphen
$variable =~ s/\+/-/g; # real character, do not want, substitute hyphen
$variable =~ s/\[/-/g; # real character, do not want, substitute hyphen
$variable =~ s/\]/-/g; # real character, do not want, substitute hyphen
$variable =~ s/\{/-/g; # real character, do not want, substitute hyphen
$variable =~ s/\}/-/g; # real character, do not want, substitute hyphen
return $variable;
}
sub get_date {
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
if ($min < 10) {
$min = "0".$min;
}
if ($sec < 10) {
$sec = "0".$sec;
}
# Increment the month by one because PERL's months
# are in the range of 0..11. Weird, huh?
$mon++;
$year %=100;
$ydate_string = "$year$mon$mday";
$xdate_string = "$mon$mday$year";
$date_string = sprintf("%02d:%02d:%02d %02d/%02d/%02d",$hour,$min,$sec,$mon,$mday,$year);
return $date_string;
return $xdate_string;
} #end get_date
# End of file #
|
MAIN
SEARCH
WHO'S 
LOG 