Michalis has asked for the wisdom of the Perl Monks concerning the following question:
Well, maybe it's a known issue, but I'll try my best.
I ran into trouble when I wanted to completely avoid using my cgis with the parameters in the Location bar (i.e. simulating a GET method).
I wanted the users to always go through the page.
Now, that's one way to do it:
if ($ENV{'QUERY_STRING'}) {
print "Location: http://www.something.net/badboy.html\n\n";
# Do some logging if you wish here, although I don't know if it's po
+ssible
exit;
}
I would be interesting to find out if there are other ways to do it, or if this method causes any side-effects.
RE: Avoiding GET in CGIs
by merlyn (Sage) on Jul 13, 2000 at 17:57 UTC
|
First, you can handle this entirely in the .htaccess file or equivalent,
at least in Apache, by making it deny from all for method GET HEAD,
as in (untested):
<Files foo bar>
<Method GET HEAD>
order deny, allow
deny from all
</Method>
</Files>
Second, preventing anything but POST means I just have to write a script,
and still won't need to go through your page. perldoc lwpcook shows
how trivial it is to write such a program.
My advice (free, and worth every penny!): give it up. Artificial restrictions
like this will always be worked around. I know, I've worked around a number
myself. It's the illusion of control or security, and just that: an illusion.
-- Randal L. Schwartz, Perl hacker | [reply] [d/l] |
|
I'm aware that if someone REALLY wants to overcome these restrictions, he may do it through literaly thousands of ways.
As a matter of fact I've done it a couple of times (yes, with LWP :-)
I was actually talking about the "average" site user (if such a thing exists...).
By the way, thanks for the .htacess solution, it's much cleaner.
| [reply] |
RE: Avoiding GET in CGIs
by le (Friar) on Jul 13, 2000 at 17:54 UTC
|
Whenever you try to do some CGI task in Perl, you are urged to use CGI.pm (it's part of the standard distribution of newer Perls). So to avoid GETs:
use CGI;
my $q = CGI->new;
if ($q->request_method() eq "GET") {
# do something
print $q->redirect("http://somewhere.org/");
exit;
}
| [reply] [d/l] |
|
I am using CGI.pm (actually a heavily modified version of it) but I was unaware of that function.
Thanks for pointing that out. It looks (and probably is) better.
It also works with parameters in the Location Bar (and not only if the form is submitted through a GET).
The only problem I see with that is (is it really?) performance issue as you have to create the new CGI object before the check.
| [reply] |
(jcwren) RE: Avoiding GET in CGIs
by jcwren (Prior) on Jul 13, 2000 at 17:53 UTC
|
This topic really belongs in Seekers Of Perl Wisdom, not Mediations. Please read the PerlMonks FAQ, before posting.
--Chris
e-mail jcwren | [reply] |
|
May I guess you didn't read my posting?
Well, it said that:
</it>Well, maybe it's a known issue, but I'll try my best.....
Now, that's one way to do it.</it>
That means (in my really not good english) that I present a "solution" for a problem that troubled me some time ago.
I also read the Perl Monks Guide stating about meditations:
<it>
Have you found out something amazing about Perl that you just need to share with everyone. Have
you had a Perl epiphany, or found something in Perl that just blows your mind. This is the place for those neat little
tricks and amazing discoveries.
</it>
I have no problem to accept that it doesn't qualify as a meditation, after all that's what moderation is for.
As it's wrong (well, it isn't even wrong. As usually TIMTOWTDI ?) the moderators felt they should send it to questions,
fine with me.
But I think it was clear that I was NOT asking for a solution.... Just a discussion
By the way, Seekers of Perl Wisdom says:
<it>
The place you can go when you have got a question on how to do something or are
unsure why something just isn't working. Then other monks can offer you their wisdom and suggestions.
</it>
so it doesn't belong there either (as it's not a question, and the code IS working).
Please read the Guide to the Monastery before suggesting.
Michalis
| [reply] |
Re: Avoiding GET in CGIs
by turnstep (Parson) on Jul 15, 2000 at 00:51 UTC
|
To answer the question directly:
No, there are no real side-effects to this method.
That way should work just fine. It might be fastest
if you have this run before loading CGI.pm (via
a BEGIN block). You could also check for
$ENV{'REQUEST_METHHOD'} ne "POST"
## or
$ENV{'REQUEST_METHOD'} eq "GET"
## or even
$ENV{'REQUEST_URI'} =~ /\?/
Finally, note that you original code, technically
speaking, should test for the existence of
QUERY_STRING, and not the truth of it, using
defined or even exists. But since most cgi
scripts require a pair, putting ?0000
will probably not do much for your scripts, so the
truth test should suffice.
P.S. Sure it can be worked around, but it *will*
prevent people from being able to bookmark a URL
with parameters already set.
| [reply] [d/l] |
|
|