HTML::Template, CGI - concatenating strings & variables

Lori713 has asked for the wisdom of the Perl Monks concerning the following question:

Hi,

I'm trying to concatenate some strings and a CGI variable together so I can create the template name to be used in my program. Below is what I have, but I get the error message,

"HTML::Template->new() : Cannot open included file $rpt_tmpl : file not found. at HTML/Template.pm line 1580".

Am I using HTML::Template incorrectly? If I hard-code what I want (cnc1_rpt1_summary.tmpl), it works beautimously and my $rpt_id value is "1".

Thanks for any help you can provide!

#!/usr/local/bin/perl5_8
use strict;
use warnings;
use CGI;
use CGI::Carp qw(fatalsToBrowser); #remove for PRD
use HTML::Template;
use DBI;
use My::pswd;
my $CGI = CGI->new;

$|=1;
print "content-type: text/html\n\n";

my $err;
my $server = $My::pswd::server;
my $userid = $My::pswd::userid;
my $passwd = $My::pswd::passwd;

my $rpt_id = $CGI->param('rpt_id');
my $proj_id = $CGI->param('proj_id');
my $rpt_asofdt = $CGI->param('rpt_asofdt');
my $rpt_tmpl = "cnc1_rpt" . "$rpt_id" . "_summary.tmpl";

my $template = HTML::Template->new( filename => '$rpt_tmpl',
                                     associate => $CGI,
                                   );

#.... and then a bunch of other stuff (fetch data, 
#fetch futzed (for now) params to pass to template ....

print $template->output();

#temp:  just to show my variable values; remove for PRD
print "my rpt_id is:      $rpt_id<br>";
print "my proj_id is:     $proj_id<br>";
print "my rpt_asofdt is:  $rpt_asofdt<br>";
print "Good-bye Cruel World.\n";
[download]

Lori

Comment on HTML::Template, CGI - concatenating strings & variables Download Code

Replies are listed 'Best First'.
Re: HTML::Template, CGI - concatenating strings & variables by jeffa (Bishop) on Nov 17, 2003 at 14:59 UTC
The obvious error is that you are quoting your variable with single quotes - this never works! Do this instead: `my $template = HTML::Template->new( filename => $rpt_tmpl, associate => $CGI, );` [download] Just like you didn't quote $CGI. However, you really should do a little error checking first. Also, don't explicitly print out the content header if you are using CGI.pm: `print $CGI->header;` [download] You are much less prone to making mistakes when you let CGI.pm print the header. jeffa L-LL-L--L-LL-L--L-LL-L-- -R--R-RR-R--R-RR-R--R-RR B--B--B--B--B--B--B--B-- H---H---H---H---H---H--- (the triplet paradiddle with high-hat)	[reply] [d/l] [select]
Re: Re: HTML::Template, CGI - concatenating strings & variables by Lori713 (Pilgrim) on Nov 17, 2003 at 15:09 UTC
Well, DUH.... <insert really sheepish, blushing face here>. Ya know, I just looked up the double-quote vs. single-quote usage with variables and missed the one you caught. Thanks! What do you mean by "a little error checking first"? Will that help me debug my own code better? I'm all for that! P.S. I like the `print $CGI->header;` line. I'm learning more and more cool things with CGI and HTML::Template. Thanks! Lori	[reply] [d/l]
3Re: HTML::Template, CGI - concatenating strings & variables by jeffa (Bishop) on Nov 17, 2003 at 18:59 UTC
In your case, all you really need to do make sure that the id the user submits is valid. `my $rpt_id = $CGI->param('rpt_id'); # trim any leading or trailing whitespace $rpt_id =~ s/^\s//; $rpt_id =~ s/\s$//; # assuming report id is suppose to only contain digits unless ($rpt_id =~ /^\d+$/) { # handle error - id contains more than digits }` [download] is just one example of "untainting" your paramaters that are submitted by someone (who could be trying to crack your CGI script). I recommend adding the taint switch to your "shebang" line: `#!/usr/local/bin/perl5_8 -T` [download] Since you have already untainted `$rpt_id` by making it part of `$rpt_tmpl` like so: `my $rpt_tmpl = "cnc1_rpt" . $rpt_id . "_summary.tmpl"; # another way to achieve the same result: my $rpt_tmpl = "cnc1_rpt@{[$rpt_id]}_summary.tmpl"; # and yet anther way my $rpt_tmpl = sprintf("cnc1_rpt%d_summary.tmpl", $rpt_id);` [download] you shouldn't have to worry about devious folks getting at other files like you would with the following DANGEROUS code: `my $file = $CGI->param('file'); open FH, '<', "$PATH/$file";` [download] Even though you supply the path, the user can still submit something like `../../../etc/passwd` ... bad. Your code appears safe enough as it is, but ... it's still a good idea to make sure that what you let the user to submit is restricted. jeffa L-LL-L--L-LL-L--L-LL-L-- -R--R-RR-R--R-RR-R--R-RR B--B--B--B--B--B--B--B-- H---H---H---H---H---H--- (the triplet paradiddle with high-hat)	[reply] [d/l] [select]
Re: 3Re: HTML::Template, CGI - concatenating strings & variables by Lori713 (Pilgrim) on Nov 17, 2003 at 20:15 UTC
5Re: HTML::Template, CGI - concatenating strings & variables by jeffa (Bishop) on Nov 17, 2003 at 20:20 UTC
Some notes below your chosen depth have not been shown here
Re: Re: 3Re: HTML::Template, CGI - concatenating strings & variables by jgallagher (Pilgrim) on Nov 17, 2003 at 20:26 UTC


P is for Practical
	PerlMonks