LinuxQuestions.org - [Perl] cgi.pm - save input in .html file

- Programming (https://www.linuxquestions.org/questions/programming-9/)

- - [Perl] cgi.pm - save input in .html file (https://www.linuxquestions.org/questions/programming-9/%5Bperl%5D-cgi-pm-save-input-in-html-file-516985/)

[Perl] cgi.pm - save input in .html file

I created a cgi file (test.cgi) which takes user input and shows at the bottom of test.cgi. I want the result to be saved on test.cgi or to some other .html or .cgi file until and unless it is changed by another user; so if someone goes to http://127.0.0.1/test.html they would be able to see the last saved action.

Here's my code

Code:

#!/usr/bin/perl



use CGI qw(:standard);



print header;

print start_html('Test Form'),

    h1('A Test Form'),

    start_form,

    "What's your name? ",textfield('name'),

    p,

    "What's your favorite mail client?",

    p,

    checkbox_group(-name=>'words',

                  -values=>['mutt','mail','pico','sylpheed'],

                  -defaults=>['mutt','mail']),

    p,

    "What's your favorite editor? ",

    popup_menu(-name=>'editor',

              -values=>['emacs','vi','ed','cat']),

    p,

    submit,

    end_form,

    hr;



if (param()) {

    print

        "Your name is",em(param('name')),

        p,

        "The keywords are: ",em(join(", ",param('words'))),

        p,

        "Your favorite editor is ",em(param('editor')),

        hr;

}

print end_html;

here's my output

Quote:

A Test Form

What's your name?

What's your favorite mail client?

mutt mail pico sylpheed

What's your favorite editor? <drop down list>

(Submit Query button)

Your name is john

The keywords are: mail, pico

Your favorite editor is cat

you could open a filehandle and print to the filehandle the html code you need to display the content including the current values of the variables. see perldoc perlfunc => "open". The html file should reside outside of the cgi-bin and be included in a frame i.e. It is a big security risk to make the cgi-bin writable for web users on production servers. good luck, r

j-ray's reply seems a little confusing but essentially correct. As I see it, the security risk is by using the perl module to write the form. A normal HTML page (not in cgi-bin) is better. Then a parsing script to take the post data and write it to any file (again not a .htm file, even though it may contain HTML code) using the open statement as j-ray suggested. This file should have a weird extension that the web-server wont recognise and even a hacker wont understand. Then use javascript to insert it into a webpage.

Of course, this assumes that you have a good knowledge of perl and javascript. But that is what security is all about. Forms will always be dangerous when used by novice and even quite well experienced programmers. Why don't I like perl modules? Because, they are not needed and can expose you to security risks when you are not familiar with the inner workings.

The most important security check is to ensure that the form data really did come from the form on your server and not from somewhere else. Also that it contains ONLY the normal text that you expect, and not programming code!

Security is a pain, or fun to impliment, depending on your frame of mind. Until you get the hang of it, stay on 127.0.0.1 !!!