Beefy Boxes and Bandwidth Generously Provided by pair Networks
good chemistry is complicated,
and a little bit messy -LW
 
PerlMonks  

If File Exists

by damian (Beadle)
on Jun 19, 2000 at 13:11 UTC ( #18778=perlquestion: print w/replies, xml ) Need Help??

damian has asked for the wisdom of the Perl Monks concerning the following question:

i'm writing a simple shopping cart that writes user input into a temporary file. now my problem is that if i refresh the form for user inputs it creates a fresh new file. my file format is like this "$ENV{REMOTE_ADDR}.$ENV{HTTP_COOKIE}.txt". my questions is how can i check if a file already exists?

Replies are listed 'Best First'.
POTENTIAL SECURITY HOLE
by merlyn (Sage) on Jun 19, 2000 at 17:59 UTC
    No. Don't use anything that starts with HTTP_ directly in a file path. Extract the information into an untainted variable.

    This is why I recommend that all CGI programs run with -T (enabling taint mode)... to keep you from making stupid dangerous mistakes like this without deliberately trying to get around it.

    -- Randal L. Schwartz, Perl hacker

Re: If File Exists
by muppetBoy (Pilgrim) on Jun 19, 2000 at 13:21 UTC
      No. Don't use anything starting with HTTP_ directly in any file path. This is an arbitrary string coming from the browser, and can be manipulated directly by a person with ill intentions.

      -- Randal L. Schwartz, Perl hacker

Re: If File Exists
by cds (Sexton) on Jun 19, 2000 at 14:10 UTC

    You may also want to check that it's a file (not a directory or special file), and that it's readable and writeable. Try:

    if (-e "$ENV{REMOTE_ADDR}.$ENV{HTTP_COOKIE}.txt") { if (-f _) { if (-r _) { if (-w _) { #Do stuff here } else { #Not writable } } else { #Not readable } } else { #Not a file } } else { #Doesn't exist }

    You can put all the checks in the one if by anding them if you only need to check that the file exists and is accessable.

    Colin Scott
    If you build it, they will be dumb...
Re: Merlyn's POTENTIAL SECURITY HOLE
by mcwee (Pilgrim) on Jun 20, 2000 at 17:39 UTC
    (sorry for this moment of meta-commentary, but . . . )

    I just want to say that I prefered the POTENTIAL SECURITY HOLE posted at 18:56 over the one posted at 18:59 because the former gave an example of what was wrong with this progging-behavior, while the latter just said "don't do it." I'm only mentioning this because I've get my prefs set to list comments by highest score, so when I first viewed the page it was the latter post which was closer to the top. I'm still fairly newbie (but aren't we all?-- man in the subject line excepted, of course.), so I super appreciate it when the more (or in this case most) knowledgable monks take the extra moment to give a concrete example of why a don't is a don't, or a do is a do. (Which is to say that I chose to ++ the 18:56 post rather than its younger brother, on account it was the older, less popular kid which helped me more. Also, I just got up a little while ago, so my clutch isn't quite engaged yet, which is why I've gone sort of graphomanic and jest keping babbbbbbbbling. sorry)

    Just my two cents. Carry on.

    The Autonomic Pilot; it's FunkyTown, babe.

      My apologies. I usually try to put enough explanation in, but sometimes, I'm pressed for time. Actually, I'm always pressed for time, even as I type this. :)

      -- Randal L. Schwartz, Perl hacker

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://18778]
Approved by root
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others taking refuge in the Monastery: (4)
As of 2022-01-23 10:34 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    In 2022, my preferred method to securely store passwords is:












    Results (63 votes). Check out past polls.

    Notices?