form data to (.html) text file on server

Forum Moderators: coopster & phranque

Message Too Old, No Replies

form data to (.html) text file on server

saving unique file to server

jjdubecky

3:36 am on Jun 1, 2004 (gmt 0)

Having read plenty of groups over the years but never posting, this is a first. Whoever gets irate at nubies, move on...

I have a form, that I would like to parse, and output to an html file, making it unique upon "opening" by using a scalar variable from the form. My concerns are as follows:

1)Can I use the OPEN, and FILE HANDLES, in the same script that does the parsing? Where would be proper to insert the comments?

2)As mentioned above, the file to be generated, needs to be named from a scalar from the form, to make it identifiable. I figure if I declared the variable earlier I should be able to still use it, no?

-Of course I am under much stress, and duress in attempting to to this (I have until the end of the week 6/4/04), I have most of the pieces, but nobody to get feedback from, as I find myself quite alone in doing this. Help would be vastly appreciated, and probably good for your karma too.

MichaelBluejay

4:13 am on Jun 1, 2004 (gmt 0)

I think this will do what you want. I assume that your field with the file name is called "filename".

To get the value of a field if you know its name you use:

$value = $form{'fieldname'};

So, for example, if one of the form field was called "age", and you wanted to assign its value to the $age variable, you'd use:

$age = $form{'age'};

---------------

##### GENERIC ROUTINE TO GET FORM INPUT

$dataSize = $ENV{'CONTENT_LENGTH'}; # find out how much data there is, in bytes

read (STDIN, $formData, $dataSize); # read that data into $formData

@pairs = split('&', $formData);

$counter=0;

foreach $pair (@pairs) {
($name, $value) = split(/=/, $pair);
#$value =~ tr/\+/ /; # translates + signs back into spaces
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; # translates hex back into ASCII
$form{$name} = $value; # store results in a hash, if I need to reference them by name

$fields[$counter] = $name; # store results in an array, if I just want to output all of them
$values[$counter] = $value;
$counter++;
}
$formSize = $counter;

#### OPEN THE FILE & WRITE THE DATA

open(OUTF,">$form{'filename'}");
## (put all your print statements here)
close(OUTF);

VectorJ

3:48 pm on Jun 1, 2004 (gmt 0)

Just a thought, but there are a number of security problems associated with allowing form data to create files on your server. Be sure to normalize your data before using the filename submitted from the form.

MichaelBluejay

7:25 pm on Jun 1, 2004 (gmt 0)

What does "normalize" mean?

VectorJ

7:36 pm on Jun 1, 2004 (gmt 0)

Normalize means to remove or escape characters and phrases that shouldn't be in the data. To modify the data so that it is in the expected or "normal" form. In this case, the programmer needs to remove anything that could be a SQL-injection attack or an attempt to run code from the values placed in the form field.

jjdubecky

8:37 pm on Jun 1, 2004 (gmt 0)

thanks for the coding tip, and yes I do want to implement security measures, following completion. Thank you all for the help. I'll follow shortly on results and all that...

lexipixel

12:19 pm on Jun 2, 2004 (gmt 0)

From what you're saying, it sounds like you don't have control over what the string to be converted to filename will be. If that's the case, you have two options...

1. Carry a hidden var that you generate and associate that as the unique controlling value, (ie- FILE0001, FILE0002, FILE0003.. .etc..).

or..

2. convert just about anything the user types in to a filename, (their name, email address, pet's name)...
If you can't guarantee "unique", you could always check to see if a file with the name you want to use exists, then increment it, ie- John_1003.html exists, increment to "John_1004.htm"... etc..

Below is a sub to normalize odd strings for use as part of a file specification.

Here's how it's called-

# dummy vars
# you could get "unique string"
# from your form, generate it on
# the fly, serialize it, whatever...
#
$unique_string = 'This CAN be ANY$#@ string 234';
$dir = '/stuff/files/here';
$filespec = "$dir/" . Norm("$unique_string") . '.html';

$filespec should return:
"/stuff/files/here/this_can_be_any_string_234.html"

# ========
sub Norm {
# ========
#
# Coverts passed string to lower case
# string containing only a-z, 0-9 and
# _ for use as part of a file spec.
#
#
my ($s) = @_;
#
$s =~ s/\W/ /g; # \w = [A-Za-z0-9_] \W = *not*
$s =~ s/^\s+//; # trim left
$s =~ s/\s+$//; # trim right
$s =~ s/\s+/ /g; # clean middle white space
$s =~ s/ /_/g; # convert spaces to underscores
$s = lc("$s"); # lower case for file spec
#
return $s;
#
}

lexipixel

12:29 pm on Jun 2, 2004 (gmt 0)

1)Can I use the OPEN, and FILE HANDLES, in the same script that does the parsing?

Yes.

1)Where would be proper to insert the comments?

In step #4 below?

1. user retrieves FORM
2. user completes and SUBMITs FORM
3. perl script parses FORM using CGI
4. script builds HTML from form data
5. script writes HTML to disk
6. script responds to or redirects user

2)As mentioned above, the file to be generated, needs to be named from a scalar from the form, to make it identifiable. I figure if I declared the variable earlier I should be able to still use it, no?

I suggest you generate the HTML FORM from within the CGI script, (ie- if script is called with no vars, it produces the HTML FORM... and now you are in control becuase you can embed the unique identifying string in a hidden var)...

if ($hidden_var eq '') {
#
# generate an HTML FORM containing
# unique string in HIDDEN INPUT var
#
} else {
#
# process form data
#
}

Unless you want the user data to determine filename, in which case use the sub "Nor" from my last post.