http://qs321.pair.com?node_id=32818

damian1301 has asked for the wisdom of the Perl Monks concerning the following question:

Can I use 
<form action="test.cgi" method="post">
  <input type="text" name="thing">
</form>

[download]
and call it in the script by using $thing?

Replies are listed 'Best First'.
Re: CGI variables
by Ovid (Cardinal) on Sep 17, 2000 at 05:43 UTC
    Properly, you do something like the following: 
    #!/usr/bin/perl -Tw
use strict;
use CGI;

my $query = new CGI;
$query->param('thing') =~ /^([\w\s\d]+)$/ or die "Tainted data in thin
+g!";
my $thing = $1;

    [download]
    That allows you to properly (and safely) access the data in "thing". The regular expression should only specify the absolute minimum necessary for program functionality. The more it allows in $1, the greater the chance for a security hole.

    Further, the or die is necessary when untainting. If the match fails, $1 could still carry the data from a previous match, thus setting $thing to an undesireable value.

    Cheers,
    Ovid

[reply]
[d/l]
Re: CGI variables
by cianoz (Friar) on Sep 16, 2000 at 21:43 UTC
    if you use CGI.pm you can do 
    $query->import_names('NAMESPACE');

    [download]
    so you can access it with $NAMESPACE::thing
    importing into namespace 'main' will do the trick but is a _major_ security risk!!
    don't do that!
    (someone could override your own variables..
    ..like in PHP :)
[reply]
[d/l]

Back to Seekers of Perl Wisdom