www.webdeveloper.com
Results 1 to 5 of 5

Thread: Hiding/hard coding search Url Variables with cgi script?

Hybrid View

  1. #1
    Join Date
    Nov 2005
    Posts
    172

    Hiding/hard coding search Url Variables with cgi script?

    I have a cgi script that searches a simple pipe delimted database. Through the url I can have the script sort/filter results. I want to hide the url sort/filters from viewers. Instead I would like to hard code a couple url attributes within the script.

    Here would be an example of hiding/hard coding everything past the .pl?

    BlogRSS.pl?PublishDate<=today&order_by=PublishDate&order=321


    Is this something anyone knows about? I have attached the script for review.

    Thanks Aaron
    Attached Files Attached Files
    Last edited by adalby; 12-27-2007 at 06:56 PM.

  2. #2
    Join Date
    Sep 2006
    Location
    England
    Posts
    29
    Are you trying to hide the query string?

    The form thats submitted needs to use the POST method:
    <form method="POST" action="BlogRSS.pl">

    then to retrieve the data instead of

    my $qs = $ENV{'QUERY_STRING'};

    you need

    read(stdin, my $qs, $ENV{'CONTENT_LENGTH'});

  3. #3
    Join Date
    Jul 2003
    Location
    The City of Roses
    Posts
    2,503
    instead of
    my $qs = $ENV{'QUERY_STRING'};
    you need
    read(stdin, my $qs, $ENV{'CONTENT_LENGTH'});
    We actually shouldn't do either. We should use the CGI module to handle CGI parameters. For example,

    Code:
    use CGI;
    my $cgi = CGI->new();
    
    my $orderBy = $cgi->param('order_by');
    for(split(//,'))*))91:+9.*4:1A1+9,1))2*:..)))2*:31.-1)4131)1))2*:3)"'))
    {for(ord){$i+=$_&7;grep(vec($s,$i++,1)=1,1..($_>>3)-4);}}print"$s\n";

  4. #4
    Join Date
    Sep 2006
    Location
    England
    Posts
    29
    oh ok, is there any reason we shouldn't use my method, other than the fact the CGI module does the work of converting the %hex numbers back to characters?

  5. #5
    Join Date
    Jul 2003
    Location
    The City of Roses
    Posts
    2,503
    Because parameter parsing is deceptively difficult to get right. Most custom parser functions don't handle multiple values, such as what multiple select menus and checkboxes would create. The few that even try don't do a very good job. And no custom parser has ever been able to handle file uploads.

    Another problem is that this one line -- read(stdin, my $qs, $ENV{'CONTENT_LENGTH'}) -- will slurp every byte of data my computer sends. If I choose to send a POST request with a hundred gigabytes of data (probably for a malicious purpose) then your Perl program will try to put all one hundred gigabytes into memory. When the memory runs out, the computer will use virtual memory. And when that runs out, then suddenly your site won't be working very well.

    In short, every custom parser has been either incomplete or buggy, and it's best to avoid such code.
    for(split(//,'))*))91:+9.*4:1A1+9,1))2*:..)))2*:31.-1)4131)1))2*:3)"'))
    {for(ord){$i+=$_&7;grep(vec($s,$i++,1)=1,1..($_>>3)-4);}}print"$s\n";

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles