cgi.pm distinguish between POST & GET

Discussion in 'Perl Misc' started by mike_solomon@lineone.net, Mar 1, 2006.

  1. Guest

    I am using the CGI module and can get access to the POST & GET
    variables

    use CGI;
    #create new cgi
    my $m_cgi = new CGI;

    #put cgi data into hash
    my %m_cgi_data = $m_cgi->Vars;

    What I would like todo is find some way of knowing whether a variable
    is from a GET or a POST as for one form I would like to ignore GET's

    Is this possible using cgi.pm?

    Thanks
    , Mar 1, 2006
    #1
    1. Advertising

  2. Paul Lalli Guest

    wrote:
    > I am using the CGI module and can get access to the POST & GET
    > variables
    >
    > use CGI;
    > #create new cgi
    > my $m_cgi = new CGI;
    >
    > #put cgi data into hash
    > my %m_cgi_data = $m_cgi->Vars;
    >
    > What I would like todo is find some way of knowing whether a variable
    > is from a GET or a POST as for one form I would like to ignore GET's
    >
    > Is this possible using cgi.pm?


    Have you read:
    http://perldoc.perl.org/CGI.html#MIXING-POST-AND-URL-PARAMETERS
    ?

    Paul Lalli
    Paul Lalli, Mar 1, 2006
    #2
    1. Advertising

  3. Guest

    Paul Lalli wrote:

    > wrote:
    > > I am using the CGI module and can get access to the POST & GET
    > > variables
    > >
    > > use CGI;
    > > #create new cgi
    > > my $m_cgi = new CGI;
    > >
    > > #put cgi data into hash
    > > my %m_cgi_data = $m_cgi->Vars;
    > >
    > > What I would like todo is find some way of knowing whether a variable
    > > is from a GET or a POST as for one form I would like to ignore GET's
    > >
    > > Is this possible using cgi.pm?

    >
    > Have you read:
    > http://perldoc.perl.org/CGI.html#MIXING-POST-AND-URL-PARAMETERS
    > ?
    >
    > Paul Lalli


    yup read it before I posted

    either I am not understanding it properly or it doesn't work for me

    using url_param & param both returned a GET parameter
    , Mar 1, 2006
    #3
  4. Guest

    "" <> wrote:
    > >
    > > Have you read:
    > > http://perldoc.perl.org/CGI.html#MIXING-POST-AND-URL-PARAMETERS
    > > ?
    > >
    > > Paul Lalli

    >
    > yup read it before I posted
    >
    > either I am not understanding it properly or it doesn't work for me


    Well, that sucks. It does work for me, so I probably understand it
    properly. If you showed us some code, maybe I could understand your
    misunderstanding and correct it.


    > using url_param & param both returned a GET parameter


    So then you know it is from the query string in the URL. Isn't that what
    you wanted to know? Doesn't that solve your problem?

    Xho

    --
    -------------------- http://NewsReader.Com/ --------------------
    Usenet Newsgroup Service $9.95/Month 30GB
    , Mar 1, 2006
    #4
  5. Guest

    wrote:

    > Paul Lalli wrote:
    >
    > > wrote:
    > > > I am using the CGI module and can get access to the POST & GET
    > > > variables
    > > >
    > > > use CGI;
    > > > #create new cgi
    > > > my $m_cgi = new CGI;
    > > >
    > > > #put cgi data into hash
    > > > my %m_cgi_data = $m_cgi->Vars;
    > > >
    > > > What I would like todo is find some way of knowing whether a variable
    > > > is from a GET or a POST as for one form I would like to ignore GET's
    > > >
    > > > Is this possible using cgi.pm?

    > >
    > > Have you read:
    > > http://perldoc.perl.org/CGI.html#MIXING-POST-AND-URL-PARAMETERS
    > > ?
    > >
    > > Paul Lalli

    >
    > yup read it before I posted
    >
    > either I am not understanding it properly or it doesn't work for me
    >
    > using url_param & param both returned a GET parameter


    OK done some further tests

    param returns both GET & POST

    url_param returns GET

    what I want is just POST but now I understand I can exclude anything in
    url_param

    Thanks for replying
    , Mar 1, 2006
    #5
  6. schrieb:

    > I am using the CGI module and can get access to the POST & GET
    > variables
    >
    > use CGI;
    > #create new cgi
    > my $m_cgi = new CGI;
    >
    > #put cgi data into hash
    > my %m_cgi_data = $m_cgi->Vars;
    >
    > What I would like todo is find some way of knowing whether a variable
    > is from a GET or a POST as for one form I would like to ignore GET's
    >
    > Is this possible using cgi.pm?


    How about using request_method() to find out how your script was called?

    Kh
    Karlheinz Weindl, Mar 1, 2006
    #6
  7. Guest

    "" <> wrote:
    > wrote:
    >
    > > Paul Lalli wrote:
    > >
    > > > wrote:
    > > > > I am using the CGI module and can get access to the POST & GET
    > > > > variables
    > > > >
    > > > > use CGI;
    > > > > #create new cgi
    > > > > my $m_cgi = new CGI;
    > > > >
    > > > > #put cgi data into hash
    > > > > my %m_cgi_data = $m_cgi->Vars;
    > > > >
    > > > > What I would like todo is find some way of knowing whether a
    > > > > variable is from a GET or a POST as for one form I would like to
    > > > > ignore GET's
    > > > >
    > > > > Is this possible using cgi.pm?
    > > >
    > > > Have you read:
    > > > http://perldoc.perl.org/CGI.html#MIXING-POST-AND-URL-PARAMETERS
    > > > ?
    > > >
    > > > Paul Lalli

    > >
    > > yup read it before I posted
    > >
    > > either I am not understanding it properly or it doesn't work for me
    > >
    > > using url_param & param both returned a GET parameter

    >
    > OK done some further tests
    >
    > param returns both GET & POST


    Ah, now I see the problem.
    No, param returns either GET or POST--but not both--for any one form
    submission.

    > url_param returns GET


    If the form was submitted with GET, both param and url_param return the
    parameters from the URL.

    If the form was submitted with POST but also had URL parameters thrown in
    too, then param returns only the POSTed parameteters and url_param returns
    only the URL ones.


    > what I want is just POST but now I understand I can exclude anything in
    > url_param



    If the form was submitted with POST, then the exclusion has already
    been done for you in param(), and you don't need to use url_param. If the
    form was submitted with GET, then you could just throw up a "drop dead,
    hacker" page and never even look at param.

    Xho

    --
    -------------------- http://NewsReader.Com/ --------------------
    Usenet Newsgroup Service $9.95/Month 30GB
    , Mar 1, 2006
    #7
  8. Uri Guttman Guest

    >>>>> "x" == xhoster <> writes:

    x> "" <> wrote:
    >>
    >> param returns both GET & POST


    x> Ah, now I see the problem.
    x> No, param returns either GET or POST--but not both--for any one form
    x> submission.

    cgi.pm supports having both get (in the url) and post params on the same
    cgi call. it will mix the params from both sources. i am not sure which
    will override the other (if that happens). from cgi.pm:

    $query = new CGI;

    This will parse the input (from both POST and GET methods)
    and store it into a perl5 object called $query.

    note the 'both' in there.

    uri

    --
    Uri Guttman ------ -------- http://www.stemsystems.com
    --Perl Consulting, Stem Development, Systems Architecture, Design and Coding-
    Search or Offer Perl Jobs ---------------------------- http://jobs.perl.org
    Uri Guttman, Mar 1, 2006
    #8
  9. Uri Guttman Guest

    >>>>> "x" == xhoster <> writes:

    x> Uri Guttman <> wrote:
    >> >>>>> "x" == xhoster <> writes:

    >>

    x> "" <> wrote:
    >> >>
    >> >> param returns both GET & POST

    >>

    x> Ah, now I see the problem.
    x> No, param returns either GET or POST--but not both--for any one form
    x> submission.
    >>
    >> cgi.pm supports having both get (in the url) and post params on the same
    >> cgi call. it will mix the params from both sources.


    x> Do you have example code to demonstrate that?

    >> i am not sure which
    >> will override the other (if that happens). from cgi.pm:
    >>
    >> $query = new CGI;
    >>
    >> This will parse the input (from both POST and GET methods)

    ^^^^^^^^^^^^^^^

    >> and store it into a perl5 object called $query.

    ^^^^^^^^^^^^^
    >>
    >> note the 'both' in there.


    x> I note the 'both', but I do not the 'in one form submission'. Quite the
    x> opposite:

    also note the underlined parts above.

    x> MIXING POST AND URL PARAMETERS
    x> ...
    x> It is possible for a script to receive CGI parameters in the URL as
    x> well as in the fill-out form by creating a form that POSTs to a URL
    x> containing a query string (a "?" mark followed by arguments). The
    x> param() method will always return the contents of the POSTed
    x> fill-out form, ignoring the URL's query string.

    i never said anything about access params from both get/post. i just was
    pointing out that you can use both and cgi.pm will handle it. dealing
    with both in a submission is up to you but you can get both sets of
    params if desired.

    <snip of cgi script i won't run>

    uri

    --
    Uri Guttman ------ -------- http://www.stemsystems.com
    --Perl Consulting, Stem Development, Systems Architecture, Design and Coding-
    Search or Offer Perl Jobs ---------------------------- http://jobs.perl.org
    Uri Guttman, Mar 2, 2006
    #9
  10. Guest

    wrote:

    > wrote:
    >
    > > Paul Lalli wrote:
    > >
    > > > wrote:
    > > > > I am using the CGI module and can get access to the POST & GET
    > > > > variables
    > > > >
    > > > > use CGI;
    > > > > #create new cgi
    > > > > my $m_cgi = new CGI;
    > > > >
    > > > > #put cgi data into hash
    > > > > my %m_cgi_data = $m_cgi->Vars;
    > > > >
    > > > > What I would like todo is find some way of knowing whether a variable
    > > > > is from a GET or a POST as for one form I would like to ignore GET's
    > > > >
    > > > > Is this possible using cgi.pm?
    > > >
    > > > Have you read:
    > > > http://perldoc.perl.org/CGI.html#MIXING-POST-AND-URL-PARAMETERS
    > > > ?
    > > >
    > > > Paul Lalli

    > >
    > > yup read it before I posted
    > >
    > > either I am not understanding it properly or it doesn't work for me
    > >
    > > using url_param & param both returned a GET parameter

    >
    > OK done some further tests
    >
    > param returns both GET & POST
    >
    > url_param returns GET
    >
    > what I want is just POST but now I understand I can exclude anything in
    > url_param
    >
    > Thanks for replying



    I have added the following code to remove any GET - seems to do what I
    want :)

    #create new cgi
    $m_cgi = new CGI;

    #put cgi data into hash
    %m_cgi_data = $m_cgi->Vars;

    #remove GET from hash
    for my $key (keys %m_cgi_data ) {
    delete $m_cgi_data{$key} if $m_cgi->url_param($key);
    }
    , Mar 2, 2006
    #10
  11. Samwyse Guest

    wrote:
    > I am using the CGI module and can get access to the POST & GET
    > variables
    >
    > use CGI;
    > #create new cgi
    > my $m_cgi = new CGI;
    >
    > #put cgi data into hash
    > my %m_cgi_data = $m_cgi->Vars;
    >
    > What I would like todo is find some way of knowing whether a variable
    > is from a GET or a POST as for one form I would like to ignore GET's
    >
    > Is this possible using cgi.pm?


    I suspect that what you really want to know is whether a given request
    is the result of a GET or a POST. A variable doesn't come from a GET or
    a POST, it comes from a URL or a form. It is perfectly valid (although
    little used) to do this in a form:
    <form method="POST" action="test.cgi?this=hello">
    <input type="hidden" name="that" value="world">
    </form>
    In the above, two variables are submitted, one via the URL and the other
    via the form. param() returns both, url_param only returns the first.
    Of course, a quesy submitted by someone typing in an URL can only
    contain URL parameters. If you want to catch that, then you need to
    check request_method(), which will contain either 'GET' or 'POST'.

    OTOH, a person can copy an entire form into a local .HTML file and
    change all of the input fields to 'hidden' with default values. A bit
    of Javascript can even launch the request as soon as the file is opened,
    allowing someone to send a query without passing through your website.
    The only way to (mostly) prevent that is to examine the HTTP-Referrer
    header to see where a request originated (but there are ways to spoof
    that as well).
    Samwyse, Mar 2, 2006
    #11
  12. wrote:
    > I have added the following code to remove any GET - seems to do what I
    > want :)


    <snip>

    > #put cgi data into hash
    > %m_cgi_data = $m_cgi->Vars;
    >
    > #remove GET from hash
    > for my $key (keys %m_cgi_data ) {
    > delete $m_cgi_data{$key} if $m_cgi->url_param($key);
    > }


    Does the result of that differ from:

    %m_cgi_data = $m_cgi->Vars if $ENV{REQUEST_METHOD} eq 'POST';

    --
    Gunnar Hjalmarsson
    Email: http://www.gunnar.cc/cgi-bin/contact.pl
    Gunnar Hjalmarsson, Mar 2, 2006
    #12
  13. Guest

    Samwyse <> wrote:
    >
    > I suspect that what you really want to know is whether a given request
    > is the result of a GET or a POST. A variable doesn't come from a GET or
    > a POST, it comes from a URL or a form. It is perfectly valid (although
    > little used) to do this in a form:
    > <form method="POST" action="test.cgi?this=hello">
    > <input type="hidden" name="that" value="world">
    > </form>
    > In the above, two variables are submitted, one via the URL and the other
    > via the form. param() returns both,


    No, it does not. Have you tested this?

    Xho

    --
    -------------------- http://NewsReader.Com/ --------------------
    Usenet Newsgroup Service $9.95/Month 30GB
    , Mar 2, 2006
    #13
  14. >>>>> "mike" == mike solomon@lineone net <> writes:

    mike> What I would like todo is find some way of knowing whether a variable
    mike> is from a GET or a POST as for one form I would like to ignore GET's

    I would prefer that you not go out of your way to ignore "GET". What
    goal are you trying to achieve with this design?

    print "Just another Perl hacker,"; # the original
    --
    Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
    <> <URL:http://www.stonehenge.com/merlyn/>
    Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
    See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
    *** Free account sponsored by SecureIX.com ***
    *** Encrypt your Internet usage with a free VPN account from http://www.SecureIX.com ***
    Randal L. Schwartz, Mar 2, 2006
    #14
  15. Guest

    Randal L. Schwartz wrote:

    > >>>>> "mike" == mike solomon@lineone net <> writes:

    >
    > mike> What I would like todo is find some way of knowing whether a variable
    > mike> is from a GET or a POST as for one form I would like to ignore GET's
    >
    > I would prefer that you not go out of your way to ignore "GET". What
    > goal are you trying to achieve with this design?
    >
    > print "Just another Perl hacker,"; # the original
    > --
    > Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
    > <> <URL:http://www.stonehenge.com/merlyn/>


    Basically I was playing with a password system

    It didn't need to be too secure but if the password came through as a
    GET rather than a POST then it was invalid

    In the screens there should never be a GET so I thought deleting them
    was the simplest way
    , Mar 2, 2006
    #15
  16. >>>>> "mike" == mike solomon@lineone net <> writes:

    mike> Basically I was playing with a password system

    mike> It didn't need to be too secure but if the password came through as a
    mike> GET rather than a POST then it was invalid

    mike> In the screens there should never be a GET so I thought deleting them
    mike> was the simplest way

    Both GET and POST can be sniffed, so you're not really helping security there.
    The main difference between GET and POST is that the params in a GET
    are also logged, which shouldn't be made public anyway.

    Again, not sure of the problem you're solving, because it doesn't really
    solve anything to change the method.

    print "Just another Perl hacker,"; # the original

    --
    Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
    <> <URL:http://www.stonehenge.com/merlyn/>
    Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
    See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
    *** Free account sponsored by SecureIX.com ***
    *** Encrypt your Internet usage with a free VPN account from http://www.SecureIX.com ***
    Randal L. Schwartz, Mar 2, 2006
    #16
  17. Scott Bryce Guest

    wrote:

    > Basically I was playing with a password system
    >
    > It didn't need to be too secure but if the password came through as a
    > GET rather than a POST then it was invalid


    You have got to be kidding! How about if the password is wrong, then it
    is invalid. Don't worry about how the password was passed in.
    Scott Bryce, Mar 2, 2006
    #17
  18. Guest

    Randal L. Schwartz wrote:

    > >>>>> "mike" == mike solomon@lineone net <> writes:

    >
    > mike> Basically I was playing with a password system
    >
    > mike> It didn't need to be too secure but if the password came through as a
    > mike> GET rather than a POST then it was invalid
    >
    > mike> In the screens there should never be a GET so I thought deleting them
    > mike> was the simplest way
    >
    > Both GET and POST can be sniffed, so you're not really helping security there.
    > The main difference between GET and POST is that the params in a GET
    > are also logged, which shouldn't be made public anyway.
    >
    > Again, not sure of the problem you're solving, because it doesn't really
    > solve anything to change the method.
    >
    > print "Just another Perl hacker,"; # the original
    >
    > --
    > Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095


    Oh well it seemed like a good idea at the time and I've learnt a bit :)

    Gone back to plan A where I accept POST's & GET's and do a database
    lookup for usernames and passwords

    Thanks for the help everyone
    , Mar 2, 2006
    #18
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. mosfet
    Replies:
    6
    Views:
    1,353
    Rolf Magnus
    Nov 27, 2003
  2. Vinodh Kumar P
    Replies:
    1
    Views:
    340
    Jack Klein
    Dec 12, 2003
  3. Sayan
    Replies:
    6
    Views:
    7,304
    Ron Natalie
    Feb 9, 2004
  4. Simon Willison
    Replies:
    1
    Views:
    818
    poiboy
    Aug 28, 2003
  5. David Heinemeier Hansson
    Replies:
    5
    Views:
    193
    Dmitry Borodaenko
    Nov 3, 2003
Loading...

Share This Page