Loading ...
Sorry, an error occurred while loading the content.

Re:Re: [PBML] Pattern matching in an array

Expand Messages
  • Don Smith
    Charles, Thanks for your reply to my question yesterday. In response to your questions and your suggestion I post the code that wasn t working, I did two
    Message 1 of 2 , Jun 29, 2002
    • 0 Attachment
      Charles,

      Thanks for your reply to my question yesterday. In response to your
      questions and your suggestion I post the code that wasn't working, I did two
      things... First I went to bed and got some sleep, and then I got up today (I
      can't say this morning!) and actually got my code working. As I wrote it
      step by step, figuring things out and commenting them in the script as I
      went along, I came to the conclusion that this might be helpful to fellow
      beginners.

      I don't pretend its a 'good' script or that my style is proper, but it does
      what I want, it helped me learn a bit about arrays and pattern matching and
      it was fun seeing it work!

      The reason I want to 'clean' data going into the database is because it
      happens
      quickly during submission and I don't have to worry about it again. If I
      had a
      large database and had to clean the characters before displaying the data,
      it
      could take awhile, depending on the size of the database.

      There are two parts included in this message... the HTML form page and the
      CGI script which is included just after the HTML portion below. They both
      work on my windows machine. (I double check just before I pasted the code
      into this e-mail!)

      I'd appreciate your comments on how it could be improved. One area I ran
      into a problem was with a submission of a form with a blank field before a
      field that contained data. The cleaning subroutine wouldn't run. I fixed
      it, but it ain't pretty!

      Thanks in advance to you and anyone else who has any comments on how
      this script could be improved.

      Ain't learnin' fun!


      Cheers,
      Don


      Copy the code below into two files. Call the HTML file whatever you like,
      but it will be looking for a file called 'CharToHtml.cgi', so use that name
      for the
      CGI script below.

      ******** HTML START ************************

      <HTML>
      <Body>


      <H2>Charatcters to HTML Code Conversion</H2>
      <!--
      This page and the associated CharToHtml.cgi script demonstrate what I've
      learned about arrays and pattern matching with Perl.
      I'm very new to Perl, as you can tell from my code, so don't be too
      critical.

      This is merely my attempt in helping somebody else learn what I spent hours
      trying to figure out.

      Don Smith
      dmsmith@...

      -->

      <H3>Enter text and characters into the boxes below.</H3>
      This example works with the following characters:<Font
      size='+1'> & " $ % ( )
       * / : ? [ \ ]
      ; ^ { | } ~ ‹&nbs
      p;›</Font>

      <!-- The codes above were written with this script in 'like' a second! -->
      <BR>


      <FORM name="myform" ACTION="http://localhost/cgi-bin/CharToHtml.cgi"
      METHOD="POST">


      <TABLE BORDER="0" CELLSPACING="0" cellpadding="0" WIDTH="470">
      <TR>
      <TD Align = "right">
      <B>Name:</B>
      <INPUT TYPE="text" NAME="Field1" SIZE=40 MAXLENGTH=60><I> Optional
        </I><BR>

      <B>E-Mail:</B>
      <INPUT TYPE="text" NAME="Field2" SIZE=40 MAXLENGTH=60><I> Optional
        </I><BR>
      </TR><TR>

      <TD align="Left" width="470">

      <B>Text Area 1</B>(the default code in this box is only to demonstrate that
      javascript can run. When you click the box with the red 'X' on the next
      page, a message pops up.)<BR>
      <Center><TEXTAREA NAME="Field3" ROWS="3" COLS="55">
      <a href="javascript:alert('Javasript runs, but Perl ROCKS!')">
      <img src='none.gif' width=40 height=40>
      </a></TEXTAREA></Center><BR>


      <B>Text Area 2</B><BR>
      <Center><TEXTAREA NAME="Field4" ROWS="3" COLS="55"></TEXTAREA></Center><BR>

      <Center><INPUT TYPE="SUBMIT" VALUE="Submit"></Center>




      </TD></TR></Table>


      </Form>
      </Body>
      </HTML>


      ******** HTML END **************************
      *
      *
      *
      *
      ******** CGI SCRIPT START *******************

      #!/usr/bin/perl -w


      # WARNING!! - I am no expert at working with Perl. This script was
      # developed for my educational purposes only on my Windows
      # (color me red!) machine.
      #
      # Use at your own risk!
      #
      # This code was written to learn about arrays, strict and
      # pattern matching. I wanted to write a script that would remove
      # specific characters from form input and replace them with the
      # corresponding HTML codes so that the code would be displayed
      # but not run in the results displayed on screen.
      #
      # This program and the associated HTML form CharToHtml.html
      # demonstrate what I mean.
      #
      # I severely commented this program file because I tend to forget
      # stuff easily and I figured it might help someone else.
      #
      # I suppose two practical applications for this script are:
      #
      # 1) Prevent malicious code from being submitted.
      # 2) If you want to display HTML code on an HTML page
      # (now there's a challenge!), this script will save you
      # a TON of work!
      #
      # This code was posted to the PerlBeginner's Forum with the hope that
      # someone else might find it helpful.
      #
      # Don Smith
      # dmsmith@...


      use lib '/CGI.pm';
      use CGI qw/:standard/;
      use CGI::Carp 'fatalsToBrowser'; # This really helps me a LOT!!!


      use strict; # This is a security measure (Strict
      # security!) Strict forces you to
      # delare the variables you want to
      # use within the script.


      print"Content-type: text/html\n\n";


      my $foo=new CGI;

      # Print input fields to the browser just to see what was entered - Start
      # ---------------------------------------------------------------------


      print"<H2> This displays the data as it was entered (not cleaned).</H2>";
      print"<TABLE Border='1' Cellpadding='5'>";
      print"<TR><TD>Field1</TD><TD>" . $foo->param('Field1') . "</TD></TR>";
      print"<TR><TD>Field2</TD><TD>" . $foo->param('Field2') . "</TD></TR>";
      print"<TR><TD>Field3</TD><TD>" . $foo->param('Field3') . "</TD></TR>";
      print"<TR><TD>Field4</TD><TD>" . $foo->param('Field4') . "</TD></TR>";
      print"</Table>";

      print"<HR>";

      # ---------------------------------------------------------------------
      # Print input fields to the browser just to see what was entered - End
      #
      #
      # Change blank fields to "nil" - Start
      # ---------------------------------------------------------------------

      my ($v1, $v2, $v3, $v4); # Declares the variables for 'Strict'. To
      # see what happens, take the ', $v4' out,
      # save and re-run the script... Just don't
      # forget to put them back!

      if ($foo->param('Field1') eq ""){
      $v1 = "nil";
      } else {
      $v1 = $foo->param('Field1'); # [0] array element
      }

      if ($foo->param('Field2') eq ""){
      $v2 = "nil";
      } else {
      $v2 = $foo->param('Field2'); # [1] array element
      }
      if ($foo->param('Field3') eq ""){
      $v3 = "nil";
      } else {
      $v3 = $foo->param('Field3'); # [2] array element
      }
      if ($foo->param('Field4') eq ""){
      $v4 = "nil";
      } else {
      $v4 = $foo->param('Field4'); # [3] array element
      }

      # ---------------------------------------------------------------------
      # Change blank fields to "nil" - End
      #
      #
      # This creates an array of the input fields - Start
      # ---------------------------------------------------------------------

      my (@list, $list); # Delare the variables for 'Strict'.
      @list= ($v1, $v2, $v3, $v4); # This is the actual array.

      # ---------------------------------------------------------------------
      # This creates an array of the input fields - End
      #
      #
      # Demonstrate output 1 - Start
      # ---------------------------------------------------------------------

      print "<H2>This is the output of one element of the array before
      cleaning.</H2>";

      print @list[3]; # (Line 120) This prints an element of the
      # array to screen. The [number] refers to
      # the element of the array.

      print "<BR><HR><BR>";

      # ---------------------------------------------------------------------
      # Demonstrate output 1 - End
      #
      #
      # Calling the subroutine - Start
      # ---------------------------------------------------------------------

      &char_to_html; # This calls the subroutine into action!

      # ---------------------------------------------------------------------
      # Calling the subroutine - End
      #
      #
      # Subroutine Code - Start
      # ---------------------------------------------------------------------

      sub char_to_html {

      my ($count, $list);
      $count = 0; # Counter - which corresponds to the
      # array elements.
      # This tells the code we are starting
      # from 'zero'.



      while ($list[$count] ne "") { # We are running the code until we run
      # out of variables.


      # --- Search and replace code ----- Start

      $list[$count] =~ s/\&/\&\#38;/g; # - & - The ampersand check HAS to
      # be first or it will strip the
      # ampersand out of the other
      # character HTML codes! - Feel free
      # to move it around in the test
      # scripts to see the effect, but
      # just remember to put it back in the
      # first position when you are done!


      $list[$count] =~ s/\$/\&\#36;/g; # - $
      $list[$count] =~ s/\"/\&\#34;/g; # - "
      $list[$count] =~ s/\%/\&\#37;/g; # - %
      $list[$count] =~ s/\(/\&\#40;/g; # - (
      $list[$count] =~ s/\)/\&\#41;/g; # - )
      $list[$count] =~ s/\*/\&\#42;/g; # - *
      $list[$count] =~ s/\//\&\#47;/g; # - /
      $list[$count] =~ s/\:/\&\#58;/g; # - :
      $list[$count] =~ s/\?/\&\#63;/g; # - ?
      $list[$count] =~ s/\[/\&\#91;/g; # - [
      $list[$count] =~ s/\\/\&\#92;/g; # - \
      $list[$count] =~ s/\]/\&\#93;/g; # - ]
      $list[$count] =~ s/\^/\&\#94;/g; # - ^
      $list[$count] =~ s/\{/\&\#123;/g; # - {
      $list[$count] =~ s/\|/\&\#124;/g; # - |
      $list[$count] =~ s/\}/\&\#125;/g; # - }
      $list[$count] =~ s/\~/\&\#126;/g; # - ~
      $list[$count] =~ s/\</\&\#139;/g; # - <
      $list[$count] =~ s/\>/\&\#155;/g; # - >


      # $list[$count] =~ s/\@/\&\#64;/g; # - @ Using this one would make e-mail
      # address links unusable, so I don't
      # recommend replacing the '@' symbol
      # unless you are positive you won't be
      # using e-mail addresses.

      # --- Search and replace code ----- End



      $count++; # This increments the counter by one on
      # each run. If you forget this, the script will
      # run indefinitely and you'll see a blank browser
      # page. On Windows 95/98 machines, press CTRL-ALT-DEL
      # and look for Perl. Select Perl and "End Task"
      # to stop it from running.

      }

      }

      # ---------------------------------------------------------------------
      # Subroutine Code - End
      #
      #
      # Demonstrate output 2 - Start
      # ---------------------------------------------------------------------

      print "<H2> This displays the array (all the fields) after it has been
      cleaned.</H2>";
      print "<H3>It will be displayed as one continuous string.</H3>";

      print @list; # This willprint the whole 'cleaned' array to
      # the screen.

      print "<BR><HR><BR>";

      print "<H2> This displays one element of the array after it has been
      cleaned.</H2>";

      print @list[3]; # This prints one element of the 'cleaned
      # array' to the screen because it follows
      # the subroutine 'call'.
      # If you place this code before
      # '&char_to_html; ' you'll get the actual
      # character, not the HTML code as we
      # see at line 120 of this example.
      print "<BR><HR><BR>";

      # ---------------------------------------------------------------------
      # Demonstrate output 2 - End
      #
      # Print cleaned input fields to the browser - Start
      # ---------------------------------------------------------------------

      # This is what this whole thing was all about!

      print "<H2> This displays the data after it has been cleaned.</H2>";
      print"<B>In a browser, it looks exactly the same as what was entered into
      the form, but if you look at the source code<BR> of this displayed page,
      you'll see the HTML character codes, not the actual characters.</B><BR>";
      print"<TABLE Border='1' Cellpadding='5'>";
      print"<TR><TD>Field1</TD><TD>" . @list[0] . "</TD></TR>";
      print"<TR><TD>Field2</TD><TD>" . @list[1] . "</TD></TR>";
      print"<TR><TD>Field3</TD><TD>" . @list[2] . "</TD></TR>";
      print"<TR><TD>Field4</TD><TD>" . @list[3] . "</TD></TR>";
      print"</Table>";

      print"<HR>";

      # ---------------------------------------------------------------------
      # Print cleaned input fields to the browser - End




      ******** CGI SCRIPT END **************************



      ----- Original Message -----
      From: "Charles K. Clarkson" <cclarkson@...>
      To: <perl-beginner@yahoogroups.com>
      Sent: Friday, June 28, 2002 6:22 PM
      Subject: Re: [PBML] Pattern matching in an array


      > "Don Smith" <dmsmith@...> wrote:
      >
      > : I've been trying to write a script to look at a group of input
      > : fields in a form and replace specific characters with their
      > : HTML code equivalents.
      > :
      > : example:
      > :
      > : $v1 =~ s/\$/\&\#36;/g; replaces $ with $
      > : $v1 =~ s/\&/\&\#38;/g; replaces & with &
      > :
      > : This works well for me since the output of the fields is only
      > : displayed in HTML. The intent is to prevent people from
      > : entering malicious code into text areas in my forms.
      >
      > How are you using the data?
      >
      > For instance, if I have a large text field in the form and I
      > only place the information into a database, how does it
      > become malicious?
      > If it becomes malicious when it is prined to an HTML page
      > or some other output, then you really need a way to encode
      > items as they are used for output, not as they are received.
      > You'd want the raw data "as is" in case you output it
      > benignly.
      >
      > [snip]
      > : One solution, as I see it, is to create a subroutine that I can
      > : call to check each field. Another I suppose, is to create an
      > : array of the fields I want to check and pass them through
      > : the "cleaning code".
      > :
      > : Therein lies my problem... I can't get either one to work.
      > : I've read through books, I've searched the net, and as a
      > : last resort before I pull my hair out, I'm posting here asking
      > : for assistance.
      >
      > What sample pieces of code do you have?
      > Which part(s) is "not working"?
      >
      >
      >
      >
      >
      >
      >
      > Unsubscribing info is here:
      http://help.yahoo.com/help/us/groups/groups-32.html
      >
      > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
      >
      >
      >





      ---
      Outgoing mail is certified Virus Free.
      Checked by AVG anti-virus system (http://www.grisoft.com).
      Version: 6.0.372 / Virus Database: 207 - Release Date: 6/20/02
    Your message has been successfully submitted and would be delivered to recipients shortly.