After looking over your code, I've made a few changes that should help it a bit. I have not changed any of the functionality, but instead have made it a bit more secure and cleaned up some of the code.
After giving it a bit of thought, I went ahead and converted most of your raw HTML to the CGI equivalent. Ordinarily, I wouldn't do this to anyone else's script, but I noticed you were doing it partway and figured you wouldn't mind my finishing the job, so to speak.
If you'd like to learn more about CGI scripting, you can check out my online Web programming course. It currently only has two lessons and one appendix, but I'm working on lesson 3, which is a brief overview of CGI scripting security. Hopefully I'll have it up in just a couple of days.
#!/usr/bin/perl -wT
use strict;
use CGI;
# We use this to prevent someone from inserting HTML tags.
# Otherwise, they can include pornographic images, server
# side includes, or a meta refresh tags!
use HTML::Entities;
my @text;
# By defining the separator here and not hardcoding it in the script,
# we can make it much easier to change in the future!
my $separator = "::";
my $query = new CGI;
print $query->header,
$query->start_html(-title => "Guestbook Thing"),
$query->h1("Guestbook Thing");
writeit();
readit();
printit();
print $query->end_html;
sub writeit{
my($query)=@_;
print $query->startform;
print "Name:",
$query->textfield( -name => 'Name' ),
$query->br(),
"Message:<BR>",
$query->textarea( -name => "Comments",
-rows => "10",
-columns => "50" ),
$query->br(),
$query->submit( -value => "Submit"),
$query->reset( -value => "Reset" ),
$query->hr(),
$query->endform;
my $name = $query->param('Name');
my $comments = $query->param('Comments');
# We're going to eliminate newlines so each comment is on one line
$comments =~ s/\n/<br>/g;
chomp ( $name = encode_entities( $name ) );
chomp ( $comments = encode_entities( $comments ) );
# Oops! We need to get the <br> back!
$comments =~ s/<br>/<br>/g;
if ( defined $name and defined $comments ) {
open(WRITE,">>guestbook.txt") || dienice("AHH $!");
print WRITE ( join $separator, ( $name, $comments ) ) . "\n";
close(WRITE) || dienice("AHH $!");
}
}
sub readit{
open(WRITE,"guestbook.txt") || dienice("AHH $!");
@text = <WRITE>;
chomp @text;
close(WRITE);
}
sub printit{
print $query->h2('Current Results');
foreach ( @text ) {
my ( $name, $message ) = split /$separator/, $_;
print $query->hr,
"Message By: $name",
$query->br,
"<Message>: ",
$query->br,
$query->blockquote( $message ),
"</Message>";
}
}
Other ideas:
- Add timestamps for messages.
- Add threading (yes, that's quite a project)
- Give the users proprietary formatting tags.
- Allow only a subset of HTML. This one is tough, but you can check out this node for a start, if you want to try to work through the regular expression.
Good luck!
Cheers,
Ovid
Join the Perlmonks Setiathome Group or just go the the link and check out our stats.
