ProgrammingThis forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have the unlucky situation of having taken over control at a small company who's CTO quit. I'm a single programmer (im a 20 year old comp sci student!) and I have this massive, undocumented code base to figure out. Fun job for anyone, I know
Anyways, I'm looking at this one particular webpage I'm forced to change. I'm really not that good at Perl compared to how I am in other languages. So I'm trying to figure out what the old programmer was doing to break apart this query string. If someone could explain this little code block I would really appreciate it. The same block or similiar blocks are all over the site, it must be on 20 pages. If it makes a difference I've kinda mustered out that we're using mod_perl and/or mason. But we still use a regular shabang line ... Anyways some lines/pieces I understand completely, others I have NO clue about. Please read my comments...
Code:
use URI::Escape;
my ($erl, $shname);
my ($buffer, @NVPairs, $NameValue, $Name, $Value, %var, $encshname);
if($ENV{REQUEST_METHOD} eq 'GET') {
$buffer = $ENV{QUERY_STRING}; # I fully understand this...
} else {
read(STDIN, $buffer, $ENV{CONTENT_LENGTH}); # But have no clue about this
}
# I get this, break up the query string using ampersand as delimiter
@NVPairs = split(/&/, $buffer);
# Now loop through the options and do something??? I think he's sanitizing the data...
foreach $NameValue (@NVPairs) {
($Name, $Value) = split(/=/, $NameValue); # Understand this part...
$Value =~ tr/+/ /; # Huh? Replace '+' with ' '??? Im lost...
# I dont really understand this too well, especially the pack() function
$Value =~ s/%([\dA-Fa-f][\dA-Fa-f])/pack("C", hex($1))/eg
$var{$Name} = $Value;
}
$erl = $var{url};
$shname = uc($var{comp});
$encname = uri_escape("$shname");
$encshname =~ s/'/%27/g; # umm... what?
If anyone can help with all or parts of that code it would be a huge help. Its really critical that I understand this, I didnt even want to take the 20 minutes to write this, but I needed to. I'll keep researching, I've learned some parts, but a Perl guru walking me through it would help 10x more.
This goes through the $Value string and replaces hexadecimal numbers with their character equivalents. So %5A is the letter Z. It's a little bit obfuscated here, he's using the saved value from the parenthesized capture ($1) and converting it to a number -- hex("5a") is 90. Then the pack as a character makes it into a Z in ASCII.
Code:
$encshname =~ s/'/%27/g;
Here is the opposite of the last one. The ' character is 27 in hexadecimal in ASCII.
It's not too dificult if you know a little about HTTP.
Thinking in CGI:
When you request /cgi-bin/page.pl?a=1&b=2 you do a GET request. The parameters are in the url.
But you can request /cgi-bin/page.pl and stream a=1 later. Then you do POST. You can imagine the browser telling this to the web server:
POST /cgi-bin/page.pl HTTP/1.1
agent: foo
accept: bar
a=1&b=2
And then you read this via stdin. OK? that's easy
Now come the +. A url can't have spaces inside, so what do you do when you want to send one? encode it as '+'. And when you want to send a '+'? encode it as %2B. Yeah, it's really fun.
Do you remember the + as %2B? sure. 2B is the '+' char ASCII hex value. %([\dA-Fa-f][\dA-Fa-f] is the regex of a hexadeciaml numebr. Sure you see it if I rewrite as:
[0-9A-Fa-f][0-9A-Fa-f])
The \d means decimal.
Now be a good engy RTFM about pack(). perldoc is your friend.
use URI::Escape;
my ($erl, $shname);
my ($buffer, @NVPairs, $NameValue, $Name, $Value, %var, $encshname);
if($ENV{REQUEST_METHOD} eq 'GET') {
$buffer = $ENV{QUERY_STRING}; # I fully understand this...
} else {
read(STDIN, $buffer, $ENV{CONTENT_LENGTH}); # But have no clue about this
## depending on REQUEST_METHOD the CGI parameters
## are either in the QUERY_STRING parameter or are delivered
## on STDIN
}
# I get this, break up the query string using ampersand as delimiter
@NVPairs = split(/&/, $buffer);
# Now loop through the options and do something??? I think he's sanitizing the data...
foreach $NameValue (@NVPairs) {
($Name, $Value) = split(/=/, $NameValue); # Understand this part...
$Value =~ tr/+/ /; # Huh? Replace '+' with ' '??? Im lost...
## Blanks in CGI parameters are escaped as '+'
## this converts back to blanks
# I dont really understand this too well, especially the pack() function
$Value =~ s/%([\dA-Fa-f][\dA-Fa-f])/pack("C", hex($1))/eg
## unpack non-printables (represented as '%00' - '%FF' hex values
## in URLs) back to original values
$var{$Name} = $Value;
}
$erl = $var{url};
$shname = uc($var{comp});
$encname = uri_escape("$shname");
$encshname =~ s/'/%27/g; # umm... what?
## replace single quotes (') with their HEX representation
## (probably to avoid SQL injection attacks)
## read more: http://www.unixwiz.net/techtips/sql-injection.html
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.