Re: Need some problemsolving-cgi/xml

From: James Willmore (jwillmore_at_fastmail.us)
Date: 11/25/04 

Date: Thu, 25 Nov 2004 14:30:20 -0500

On Thu, 25 Nov 2004 07:22:36 +0100, lievemario wrote:

<snip>
> Now the following errors appear:
> - first of all, I don't know why, but the script is not able to open / write
> person.xml anymore

And your logs say .... what? Did you check the server logs to see what
messages are being issued by the script? Have you tested the script at
the command line first? If so, what happened?

> - second, when I have such an xml file, the script is not able to produce
> the output,
> I get a CGI timeout error.
> (Just for info; I call the script via the following line in the form
> application:
> <form action="person2.cgi?person_id=$person_id" method="POST">
> )
> I have search a long time, but I can not solve the problem.

And your logs say .... what? Did you check the server logs to see what
messages are being issued by the script? Have you tested the script at
the command line first? If so, what happened? Are you *sure* it's a "CGI
timeout error" and not some other error happening in the background that
results in your script timing out? Logs will tell you lots ... if you let
them :-)

 
> - another question I also have;
> it is my intention to execute 1 or more queries (depending on the
> @details the
> user selected in the form). How can I combine all these xml files/xsl to
> one output?

To "transform", "process", etc. XML using XSLT, you have a wide variety of
choices (Xalan, Saxon ...). You could even create an XML file (file
system or in memory) and use XPath statements to extract data from the XML
file. Visit CPAN (http://search.cpan.org) and search for xsl or xml or
xpath to find them :-)

> #!/usr/bin/perl

#!/usr/bin/perl -T
#turn taint checking on
#visit http://www.w3.org/Security/Faq/wwwsf4.html#CGI-Q15
#for more information
 
> # use strict;

use strict;
use warnings;

> use DBI;
> use XML::Generator::DBI;
> use XML::Handler::YAWriter;
> use XML::Parser;
> use XML::XSLT;

#you already found a module for using XSLT
#have you looked at the 'toString' method?
 
> use CGI qw(param);

use CGI qw(:standard :debug);
#load standard CGI routines *and* debugging support
# ... so you can run the script at the command line
 
<snip>

> # create a DBI connection
> my $dbh = DBI->connect ("DBI:mysql:rd", "root", "",
> { RaiseError => 1,
> PrintError => 0
> });

using 'root' is a *very* bad move for a CGI script ... glad it's not my
box :-)
 
<snip>

> read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'}); @pairs = split(/&/,
> $buffer);
> foreach $pair (@pairs) {
> ($name, $value) = split(/=/, $pair);
> $value =~ tr/+/ /;
> $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; $value
> =~ s/'//g;
> $value =~ s/&/and/g;
> $value =~ s/\"//g;
> $value =~ s/\+//g;
> $FORM{$name} = $value;
> }
> }

*READ* the CGI documentation ... hell, there's even an *example* at the
very top of the document demonstrating *how* to use the module :-)
The above code is, well, pointless, if you're going to use the CGI module.

> my @details = ("data","team","pubs","other");
> foreach $x (@details) {
> if ($FORM{$x} == 1) {
> if($x eq "data") {
> data_query();
> }
> #print "You picked $x.\n";
> }
> }
> }

foreach my $x (@details) {
...
}

You need to declare a variable before using it and using the 'strict'
pragma. The above will do that.

Just FYI, you could also look over ...
http://www.w3.org/Security/Faq/wwwsf4.html#CGI-Q17
on how to untaint variables, and
http://www.cert.org/tech_tips/cgi_metacharacters.html
on hot to remove unsafe characters from the query string.

<snip>

You should really read the documentation for the various modules you're
using. It looks like you cobbled together something from various sources
and, well, this ain't going to work the way you expect it to. Try small
parts of what you're trying to do (for example, do some small XML
transformations first and small do nothing CGI scripts). Test them and see
that they work the way you expect them to. Then put it all together for
the final product.

HTH

Jim

Relevant Pages

  • system call
    ... I am using a cgi to call a pl script and then pass xml back to ... the web browser. ...
    (comp.lang.perl.misc)
  • Re: Key-passing from PHP to TCL CGI script - how is it done (web security issue)?
    ... TCL v.8.3 ... set hasEnteredTrivia 0 ... # NEW 8/7/2004 USE PHP (AS CGI) TO CHECK IF USER IS ATTEMPTING TO ENTER ... # USE REMOTE PHP SCRIPT TO CHECK FOR REPOSTING ...
    (comp.lang.tcl)
  • Re: Changing Passwords through the web (fwd)
    ... I use a CGI script that uses the poppassd and python ports on my small ... alert; ...
    (FreeBSD-Security)
  • Re: Help with a stragegy for diagnosis
    ... I have a Perl CGI that has work for years. ... first failure and before the second. ... A strategy would be to write tests for the script until you get the same ...
    (comp.lang.perl.moderated)
  • Re: Recommend PHP-Based Dashboard?
    ... and this is to illicite a response from php developers in a php usenet group trying to foster some kind of fear in us all that you may change your mind and go java or windows or mac? ... as i run true cgi scripts from the cgi exe *all the time* from the command-line, i assure you that you're wrong. ... the above explicitly states that i must use a feature of cgi in order to be considered a cgi script. ...
    (comp.lang.php)