problem when submitting a string through a form

[Nikos]

Hello, iam havign an issue about a string that when is submittd
through a form in index.pl doesnt get back the same as the original

you can read here so i wont type everythign form beginning please.

PerlMonks tried to help me (well 1 of them actuall) but i didnt came
to a final conclusion as to whats going on and how to correct it.

 

[Paul Lalli]

Hello, iam havign an issue about a string that when is submittd
through a form in index.pl doesnt get back the same as the original

you can read here so i wont type everythign form beginning please.

We can't read anything you don't give us. If you think you put in a
hyperlink there, you didn't. Usenet is text only.

Paul Lalli

 

[Nikos]

We can't read anything you don't give us.  If you think you put in a
hyperlink there, you didn't.  Usenet is text only.

Ah, sorry Paul here is the the link(had it in mind but forgo to attach
it): http://perlmonks.org/?node_id=659466

 

[Nikos]

Did anyone read the link? if you want i can also explaint he peroblem
here.

 

[RedGrittyBrick]

Did anyone read the link? if you want i can also explaint he peroblem
here.

I did but there was insufficient information for me to comment. You
didn't post a complete program nor the HTML of the form which invoked
the program.

I suspect that printing* the value of param('select') in the else clause
will shed some light on the problem. It wouldn't hurt to print
@display_files too.

Maybe some values need chomping.

* I'd use Data:umper or carefully quote the values to look for
extraneous whitespace etc;

 

[Nikos]

Here is index.pl as it is now: you can view it at http://nikos.no-ip.org
if you want

#!/usr/bin/perl -w
use strict;
use CGI::Carp qw(fatalsToBrowser);
use CGI qwstandard);
use DBI;
use POSIX qw(strftime);
use Encode;


my ($select, $article, $row, $data);

my $date = strftime('%y-%m-%d %H:%M:%S', localtime);
my $display_date = strftime('%a %d %b, %I:%M %p', localtime);
Encode::from_to($display_date, 'ISO-8859-7', 'utf8');

my $host = gethostbyaddr (pack ("C4", split (/\./,
$ENV{'REMOTE_ADDR'})), 2) || $ENV{REMOTE_ADDR};
$host = "Administrator" if ( ($host =~ /dell/) or ($host =~ /
localhost/) );

#===============================================================================
my $db = ( $ENV{'SERVER_NAME'} !~ /varsa/ )
? DBI->connect('DBI:mysqlrthodox;localhost', 'root', '*****',
{RaiseError=>1})
: DBI->connect('DBI:mysql:nikosva_orthodox;www.freegreece.net',
'nikosva_nikos', '****', {RaiseError=>1});
#===============================================================================

print header( -charset=>'utf-8' );
my $article = param('select') || "Áñ÷éêÞ Óåëßäá!";

my @files = glob "$ENV{'DOCUMENT_ROOT'}/data/text/*.txt";
my @display_files = map m{([^/]+)\.txt}, @files;
Encode::from_to($_, 'ISO-8859-7', 'utf8') for @display_files;


if ( param('select') ) { #If user selected an item from the drop
down menu
unless ( grep { $_ eq param('select') } @display_files ) #Unless
user selection doesn't match one of the valid filenames within
@display_files
{
if( param('select') =~ /\0/ )
{
$article = "*Null Byte Injection* attempted & logged!";
print br() x 2, h1( {class=>'big'}, $article );
}
if( param('select') =~ /\/\.\./ )
{
$article = "*Backwards Directory Traversal* attempted &
logged!";
print br() x 2, h1( {class=>'big'}, $article );
}

$select = $db->prepare( "UPDATE guestlog SET article=?, date=?,
counter=counter+1 WHERE host=?" );
$select->execute( $article, $date, $host );

exit 0;
}

$article = decode('utf8', param('select' ));
Encode::from_to($article, 'utf8', 'ISO-8859-7');

open FILE, "<$ENV{'DOCUMENT_ROOT'}/data/text/$article.txt" or die
$!;
local $/;
$data = <FILE>;
close FILE;

$select = $db->prepare( "UPDATE guestlog SET article=?, date=?,
counter=counter+1 WHERE host=?" );
$select->execute( $article, $date, $host );
}
else {
$select = $db->prepare( "SELECT host FROM guestlog WHERE host=?" );
$select->execute( $host );

if ($select->rows)
{
$select = $db->prepare( "SELECT host, DATE_FORMAT(date, '%a %d
%b, %h:%i') AS date, counter, article FROM guestlog WHERE host=?" );
$select->execute( $host );
$row = $select->fetchrow_hashref;

$data = "Êáëþò Þëèåò $host! ×áßñïìáé ðïõ âñßóêåéò ôçí óåëßäá
åíäéáöÝñïõóá.
Ôåëåõôáßá öïñÜ Þñèåò åäþ ùò $row->{host} óôéò $row-

{date} !

Ðñïçãïýìåíïò áñéèìþí åðéóêÝøåùí => $row->{counter}
Ôåëåõôáßá åßäåò ôï êåßìåíï [ $row->{article} ]
Ðïéü êåßìåíï èá ìåëåôÞóåéò áõôÞí ôçí öïñÜ !?";

$select = $db->prepare( "UPDATE guestlog SET date=?,
counter=counter+1 WHERE host=?" );
$select->execute( $date, $host );
}
else
{
if ($host eq "Administrator") {
$data = "ÃåéÜ óïõ Íéêüëá! Ðþò ðÜíå ôá êÝöéá? ;-)";
}
else {
$data = "ÃåéÜ óïõ $host!
¸ñ÷åóáé ãéá 1ç öïñÜ åäþ !!
Åëðßæù íá âñåßò ôá êåßìåíá åíäéáöÝñïíôá ";
}

unless ($host eq "Administrator") {
$select = $db->prepare( "INSERT INTO guestlog (host, date,
article, counter) VALUES (?, ?, ?, ?)" );
$select->execute( $host, $date, $article, 1 );
}
}
}

for ($data) {
s/\n/\\n/g;
s/"/\\"/g;
tr/\cM//d;
}

#======OK, $data set up. Now print header, start_html and JavaScript
stuff======

print
start_html(
-script => [
"var textToShow = '$data';",
{
-language => 'JAVASCRIPT',
-src => '/data/scripts/char_by_char.js'
}
],
-style => '/data/scripts/style.css',
-title => 'Ïñèüäïîá ÐíåõìáôéêÜ ÈÝìáôá!',
-onload => 'init();'
),

a({href=>'/cgi-bin/register.pl'}, img{src=>'/data/images/reg.jpg'}),

start_form(action=>'/cgi-bin/index.pl'),
h1({class=>'lime'}, "ÅðÝëåîå ôï êåßìåíï ðïõ óå åíäéáöÝñåé => ",
popup_menu( -name=>'select', -values=>
\@display_files ),
submit(-label=>'ok')),
end_form,

div({id => "DivText"}),
end_html;

#===============================================================================

The problem is that when the user selects something from my popup
menu(one string) and then submits it, the returned string being sent
back to my index.pl ain't matching this line: unless ( grep { $_ eq
param('select') } @display_files )

and that fact led to believe that the browser or something else
somehow malformes the original value(the one selected before
submission)

I though that this line would take care of the problem coverting it
properly to utf8 but it doesnt
$article = decode('utf8', param('select' ));

please help

 

[RedGrittyBrick]

Here is index.pl as it is now: you can view it at http://nikos.no-ip.org
if you want

Really this is too complex for me to try because I don't want to have to
set up a database and so on. Nevertheless I've made some comments below.


<snip code encoded in ISO-8859-7>
There's a lot of suspicious code there. At one point you use decode to
convert from utf8 to perl's internal encoding and immediately use
Encode::from_to to convert from utf8 to ISO-8859-7!

Are you sure glob returns filenames encoded in ISO-8859-7 when run by
the web-server?

The problem is that when the user selects something from my popup
menu(one string) and then submits it, the returned string being sent
back to my index.pl ain't matching this line: unless ( grep { $_ eq
param('select') } @display_files )

As I suggested before, print the values of param('select) and @display
files so that you can SEE what is wrong.

and that fact led to believe that the browser or something else
somehow malformes the original value(the one selected before
submission)

AFAIK, most browsers (but not all) will return data encoded using the
encoding specified in the HTTP headers for the form HTML.
http://www.intertwingly.net/blog/1761.html

I though that this line would take care of the problem coverting it
properly to utf8 but it doesnt
$article = decode('utf8', param('select' ));

That doesn't convert TO utf8, it converts FROM utf8!

 

[Ted Zlatanov]

N> The problem is that when the user selects something from my popup
N> menu(one string) and then submits it, the returned string being sent
N> back to my index.pl ain't matching this line: unless ( grep { $_ eq
N> param('select') } @display_files )

What is the exact content of param('select') at this point?
What is the exact content of @display_files?

Use Firefox+Firebug to see the exact data being posted back to the
server. What is the 'select' parameter's content? Show the entire POST
operation's data load.

As an aside, you may want to look into CGI::FormBuilder to build forms
easily (or the Template Toolkit, or Mason, or any other such toolkit)
and Rose:B::Object to get your DB data.

Ted

 

[Nikos]

I decided to try as far as i could to make a single test script, which
i actually embedded into my index.pl file, so to PROVE my initial
guess that there was no need to NOT expect the returned string as
being the same as the original, hence no encoding being necessary to
be performed. Here it is:

if ( param('select') ) { #If user selected an item from the drop down
menu unless( grep /^\Q$article\E$/, @menu_files ) #Unless user
selection doesn't match one of the valid filenames within
@menu_files ......}} print param('select'), ' - ',
length( param('select') ), br() x2; foreach( @menu_files ) { my $match
= ($_ eq param('select')) ? "matches" : "fails to match"; print $_, '
- ', length( $_ ), ' - ', $match, br; } Encode::from_to($article,
'utf8', 'ISO-8859-7'); open FILE, "<$ENV{'DOCUMENT_ROOT'}/data/text/
$article.txt" or die $!; ........
[download]

As you can see i'am checking the returned parameter against
@menu_files so to see if when i print them they look the same and when
i also print their lengths they are equal.

The result is the parameter string is identical to its corresponding
item inside @menu_files.
Both strings are perl-internal utf8 flagged strings because when i
print their lengths i get a number twice as much as the chars that
consist the filename. For example if a filename is called "íßêïò" i
get length 10 before and after the submission, which means that both
are stored in a utf8 perl internal manner/way.

So, after this i gather you agree with me that no encoding/decoding
processes being necessary.