note
jlongino
How are you parsing/storing your CGI data? I had the same problem you're describing before I started frequenting Perlmonks. I used the $cgi->parm('var') methods but I used eval to create variables and assign their corresponding values:
<p><center><b>The following code is BAD! don't use it!</b></center>
</p>
<code>
sub doGetCGIvars {
my $VarName;
my $query = new CGI;
foreach $VarName ($query->param) {
$assign = "\$$VarName = '" . $query->param($VarName) . "'";
&UnTaint($assign);
eval($assign);
}
}
</code>
Why is this bad? Because any param that has a single quote in it will screw things up. Likewise, if I had used the following:
<code>
$assign = "\$$VarName = \"" . $query->param($VarName) . '"';
</code>
params containing a doublequote would screw things up. Instead, use one of the saner methods recommended by [Ovid] in his reply to [id://145661|Best way to parse CGI params] and check out his [http://www.easystreet.com/~ovid/cgi_course|CGI Course] for more pointers and other reasons why you shouldn't use methods like the ones above to parse/store cgi data.
<p>--Jim
203450
203450