Solved

Cgi-lib to Cgi.pm convertion

Posted on 2004-04-13
23
291 Views
Last Modified: 2013-12-25
How do I convert the below script to use the cgi.pm module instead of the cgi-lib module and retain all the functionality. I also need the script to be able to except input from one hidden text box, one text box and one drop down box, and submit the output to the server as one command. I would also like a timeout built into the script.

#!/usr/bin/perl

# URL
$me = "http://whatever.com/cgi-bin/userid.pl";

push (@INC,"../perl-lib");
require 'cgi-lib.pl';
&ReadParse(*form_data);
$command = $form_data{'command'};
$result = `$command`;
print &PrintHeader;

print<<"tab1";
<HTML>
<BODY BGCOLOR=FFFFFF>
<CENTER>
<TABLE BORDER=0 WIDTH=600 CELLSPACING=10>
<TR>
      <TD WIDTH =20></TD>
      <TD ALIGN=CENTER WIDTH =580>
      <FONT FACE="arial" SIZE=+2><B>Houst User Setup</B></FONT>
      <BR>
      <HR>
      </TD>
      <TD WIDTH =20></TD>
</TR>

<TR>
      <TD WIDTH =100></TD>
      <TD WIDTH=400>
      <FORM ACTION=$me METHOD=POST>
      <FONT FACE="arial" SIZE=+1><B>User ID:</B></FONT>
      <BR>
      <INPUT TYPE="text" NAME="command" SIZE=42>
      <BR><BR>
      <INPUT TYPE="submit"><INPUT TYPE="reset">
      
      </TD>
      <TD WIDTH =100></TD>
</TR>

<TR>
      <TD WIDTH =100></TD>
      <TD WIDTH =100>
      <HR>
      <FONT FACE="arial" SIZE=+1><B>Output:</B></FONT>
      </TD>
      <TD WIDTH =100></TD>
</TR>

<TR>
      <TD WIDTH =100></TD>
      <TD WIDTH =100 BGCOLOR=CCCCCC>
      <BR>
      <PRE>
      $result
      </PRE>
      <BR><BR>
      </TD>
      <TD WIDTH =100></TD>
</TR>
</TABLE>
</FORM>
</BODY>
</HTML>
tab1

 
0
Comment
Question by:mcabot
  • 12
  • 7
  • 4
23 Comments
 
LVL 1

Expert Comment

by:bkiahg
ID: 10817249
#!/usr/bin/perl

# URL
my $me = "http://whatever.com/cgi-bin/userid.pl";

push (@INC,"../perl-lib");

use strict;
use CGI;

my $q = new CGI;

my $command = $q->param('command');
my $result = `$command`;

# pulls the three fields
my $hidden = $q->param('hidden_field_name');
my $text   = $q->param('text_field_name');
my $drop   = $q->param('drop_field_name');

print $q->header;

print<<"tab1";
<HTML>
<BODY BGCOLOR=FFFFFF>
<CENTER>
<TABLE BORDER=0 WIDTH=600 CELLSPACING=10>
<TR>
     <TD WIDTH =20></TD>
     <TD ALIGN=CENTER WIDTH =580>
     <FONT FACE="arial" SIZE=+2><B>Houst User Setup</B></FONT>
     <BR>
     <HR>
     </TD>
     <TD WIDTH =20></TD>
</TR>

<TR>
     <TD WIDTH =100></TD>
     <TD WIDTH=400>
     <FORM ACTION=$me METHOD=POST>
     <FONT FACE="arial" SIZE=+1><B>User ID:</B></FONT>
     <BR>
     <INPUT TYPE="text" NAME="command" SIZE=42>
     <BR><BR>

<!-- Places the form from above to be submitted in hidden fields with the rest of the data -->
     <input type=hidden value="$hidden" name=hidden_field>
     <input type=hidden value="$text" name=text_field>
     <input type=hidden value="$drop" name=drop_field>

     <INPUT TYPE="submit"><INPUT TYPE="reset">
     
     </TD>
     <TD WIDTH =100></TD>
</TR>

<TR>
     <TD WIDTH =100></TD>
     <TD WIDTH =100>
     <HR>
     <FONT FACE="arial" SIZE=+1><B>Output:</B></FONT>
     </TD>
     <TD WIDTH =100></TD>
</TR>

<TR>
     <TD WIDTH =100></TD>
     <TD WIDTH =100 BGCOLOR=CCCCCC>
     <BR>
     <PRE>
     $result
     </PRE>
     <BR><BR>
     </TD>
     <TD WIDTH =100></TD>
</TR>
</TABLE>
</FORM>
</BODY>
</HTML>
tab1
0
 

Author Comment

by:mcabot
ID: 10818630
Thank you very much for the conversion, but I am having trouble. Here is what I am trying to do. I want to use this form to send this command to the server "./oneuser.sh userid server_instance" The "./oneuser.sh" is a shell script I am trying to execute, and I want it to be the hidden text. The "userid" is, well a users id, this will be the visable text box. The "server_instance" is going to be the drop down box and it will contain several server instances. I can issue this command and it works, if I type the whole thing in the text box, but as soon as I add either the hidden box or the drop down to the form, and hit submit, the page just blinks and produces no errors, nothing.
0
 
LVL 1

Expert Comment

by:bkiahg
ID: 10818688
Post your code here.
0
 
LVL 48

Expert Comment

by:Tintin
ID: 10818710
Change

#!/usr/bin/perl

# URL
$me = "http://whatever.com/cgi-bin/userid.pl";

push (@INC,"../perl-lib");
require 'cgi-lib.pl';
&ReadParse(*form_data);
$command = $form_data{'command'};
$result = `$command`;
print &PrintHeader;

to

#!/usr/bin/perl

# URL
$me = "http://whatever.com/cgi-bin/userid.pl";

use CGI;
CGI::ReadParse;

&ReadParse(*form_data);
$command = $form_data{'command'};
$result = `$command`;
print &PrintHeader;

BTW, you have a huge security hole by running a command coming from a form without any checking whatsoever.
0
 

Author Comment

by:mcabot
ID: 10819203
Below is the only section I modified.

 <INPUT TYPE="hidden" NAME="command" VALUE="./oneuser.sh ">
       <BR>
     <INPUT TYPE="text" NAME="command" SIZE=42>
       <BR><BR>
       <select NAME="command">
       <option value="server_instance">Dev
       </select>
       <BR><BR>
0
 

Author Comment

by:mcabot
ID: 10819477
Tintin, I realize that this is a security problem. Before I put it into production I plan on making the text input aA-zZ only no special characters. This script is also for internal use only, by other admin's who are not allowed to have a unix login. If you have a good idea how to not allow special character's I'm all ears.
0
 
LVL 48

Expert Comment

by:Tintin
ID: 10820085
$text='ABC*';
die "$text contains invalid characters\n" unless ($text =~ /^[A-z]+$/);
0
 

Author Comment

by:mcabot
ID: 10824756
Tintin, where in the above script that "bkiahg" provided would I put this. I tried a couple of times and I get a internal server error.
0
 
LVL 1

Expert Comment

by:bkiahg
ID: 10825824
my $command = $q->param('command');
die "$command contains invalid characters\n" unless ($command =~ /^[A-z]+$/);
my $result = `$command`;
0
 

Author Comment

by:mcabot
ID: 10826203
bkiahg, the "invalid charactes" command you provided above didn't work. I recieved an "internal server error". Also, did you get a chance to figure out why the form just blinks after I add the drop down box and the hidden text field, and try to submit it.

<INPUT TYPE="hidden" NAME="command" VALUE="./oneuser.sh ">
      <BR>
     <INPUT TYPE="text" NAME="command" SIZE=42>
      <BR><BR>
      <select NAME="command">
      <option value="server_instance">Dev
      </select>
      <BR><BR>
0
 
LVL 48

Expert Comment

by:Tintin
ID: 10828737
You get an "Internal server error" due to the die statement.

Either add:

use CGI::Carp qw(fatalsToBrowser);

near the top of the script, or use your own exit routine, eg:

error("$command contains invalid characters") unless ($command =~ /^[A-z]+$/);

sub error {
  my $text = shift;

   print  $q->header(-type=>'text/plain');
   print $text;
   exit;
}

   
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:mcabot
ID: 10829535
Tintin, both the methods you described produce the "command contains invalid characters" when the page is trying to load. The page doesn't even load.
0
 
LVL 48

Expert Comment

by:Tintin
ID: 10829879
And what is that actual command?

If it's './oneuser.sh', then of course, you'll get the message, as . and / are not valid characters as per your specifications.

0
 

Author Comment

by:mcabot
ID: 10830065
Tintin, yes that is the actual command. What I am trying to accomplish is, the text box that allows user input to only allow a-z. The drop down box has a "_" in it, and the hidden field has the "./" as you stated.
0
 

Author Comment

by:mcabot
ID: 10833249
Tintin, I modifed the script to include the text input box only (passing no invalid characters), and on the page load it still printed "command contains invalid characters".
0
 
LVL 1

Expert Comment

by:bkiahg
ID: 10835646
You need to change the names of the text, hidden and select fields to their own unique names.  Then on the other side of your script you can use cgi to grab that data.

I would suggest losing the hidden field and just place it as a scalar variable on the other side of your script.

my $hidden = './oneuser.sh';

That way a user couldn't edit the hidden field and possibly cause trouble.

Could you please post your entire code.  Both the submitting page and the cgi page from above.  It would be alot easier to trouble shoot.
0
 
LVL 1

Expert Comment

by:bkiahg
ID: 10835879
OK try this.

#!/usr/bin/perl

# URL
my $me = "http://whatever.com/cgi-bin/userid.pl";

use strict;
use CGI;
CGI::ReadParse;
use CGI::Carp qw(fatalsToBrowser);

&ReadParse(*form_data);

my $userid = $form_data{'userid'};
error("$command contains invalid characters") unless ($command =~ /^[A-z]+$/);
my $hidden = './oneuser.sh';
my $server_instance  = $form_data{'server_instance'};
error("$server_instance contains invalid characters") unless ($server_instance  =~ /^[A-z]+$/);

my $command = "$hidden $userid $server_instance";
my $result = `$command`;

print &PrintHeader;

print<<"tab1";
<HTML>
<BODY BGCOLOR=FFFFFF>
<CENTER>
<TABLE BORDER=0 WIDTH=600 CELLSPACING=10>
<TR>
     <TD WIDTH =20></TD>
     <TD ALIGN=CENTER WIDTH =580>
     <FONT FACE="arial" SIZE=+2><B>Houst User Setup</B></FONT>
     <BR>
     <HR>
     </TD>
     <TD WIDTH =20></TD>
</TR>

<TR>
     <TD WIDTH =100></TD>
     <TD WIDTH=400>
     <FORM ACTION=$me METHOD=POST>
     <INPUT TYPE="text" NAME="userid" SIZE=42>
      <BR><BR>
      <select NAME="server_instance">
      <option value="Dev">Dev
      </select>
      <BR><BR>

     <INPUT TYPE="submit"><INPUT TYPE="reset">
     
     </TD>
     <TD WIDTH =100></TD>
</TR>

<TR>
     <TD WIDTH =100></TD>
     <TD WIDTH =100>
     <HR>
     <FONT FACE="arial" SIZE=+1><B>Output:</B></FONT>
     </TD>
     <TD WIDTH =100></TD>
</TR>

<TR>
     <TD WIDTH =100></TD>
     <TD WIDTH =100 BGCOLOR=CCCCCC>
     <BR>
     <PRE>
     $result
     </PRE>
     <BR><BR>
     </TD>
     <TD WIDTH =100></TD>
</TR>
</TABLE>
</FORM>
</BODY>
</HTML>
tab1


sub error {
  my $text = shift;

   print  $q->header(-type=>'text/plain');
   print $text;
   exit;
}

I'm not at a pc with perl on it so I'm not able to troubleshoot any typos but I think this is what your looking to do.  I'll be back sat if it needs to be cleaned up.
0
 

Author Comment

by:mcabot
ID: 10835959
bkiahg, I tried to change the names of the fields and it still just blinked. I like the idea of not having the hidden field. Below is all the code, absent the "die" command, because even with out the hidden field (./oneuser.sh) the page won't load, just prints "command contains invalid characters"

#!/usr/bin/perl

# URL
my $me = "http://jack:5152/private-cgi/operator/userid.pl";

push (@INC,"../perl-lib");
use CGI::Carp qw(fatalsToBrowser);
use strict;
use CGI;

my $q = new CGI;

my $command = $q->param('command');
my $result = `$command`;

# pulls the three fields
my $hidden = $q->param('hidden_field_name');
my $text   = $q->param('text_field_name');
my $drop   = $q->param('drop_field_name');

print $q->header;

print<<"tab1";

<HTML>
<BODY BGCOLOR=FFFFFF>
<CENTER>
<TABLE BORDER=0 WIDTH=600 CELLSPACING=10>
<TR>
     <TD WIDTH =20></TD>
     <TD ALIGN=CENTER WIDTH =580>
     <FONT FACE="arial" SIZE=+2><B>Houston User Setup</B></FONT>
     <BR>
     <HR>
     </TD>
     <TD WIDTH =20></TD>
</TR>

<TR>
     <TD WIDTH =100></TD>
     <TD WIDTH=400>
     <FORM ACTION=$me METHOD=POST>
     <FONT FACE="arial" SIZE=+1><B>User ID:</B></FONT>
     <BR>
     <INPUT TYPE="hidden" NAME="command" VALUE="./oneuser.sh ">
       <BR>
       <INPUT TYPE="text" NAME="command" SIZE=42>
       <BR><BR>
       <select NAME="command">
       <option value="server_instance">Dev
       </select>
       <BR><BR>
      

<!-- Places the form from above to be submitted in hidden fields with the rest of the data -->
     <input type=hidden value="$hidden" name=hidden_field>
     <input type=hidden value="$text" name=text_field>
     <input type=hidden value="$drop" name=drop_field>
     <INPUT TYPE="submit" value="Submit">
     </TD>
     <TD WIDTH =100></TD>
</TR>

<TR>
     <TD WIDTH =100></TD>
     <TD WIDTH =100>
     <HR>
     <FONT FACE="arial" SIZE=+1><B>Output:</B></FONT>
     </TD>
     <TD WIDTH =100></TD>
</TR>

<TR>
     <TD WIDTH =100></TD>
     <TD WIDTH =100 BGCOLOR=CCCCCC>
     <BR>
     <PRE>
       $result
     </PRE>
     <BR><BR>
     </TD>
     <TD WIDTH =100></TD>
</TR>
</TABLE>
</FORM>
</BODY>
</HTML>
tab1
0
 

Author Comment

by:mcabot
ID: 10836065
bkiahg, the last script you provided just produces an internal server error. I looked for typo's didn't see any.
0
 

Author Comment

by:mcabot
ID: 10837248
Tintin, bkiahg, I got the script to work by adding the comments and calling (cgi-lib). I would like to not have to call (cgi-lib), would like to "use strict", "use CGI", and get the character restrictions to work. Now that the form is kind of working, there is two more problems, of course! The ./oneuser.sh script executes and returns an error to the results box in the browser everytime the page is loaded. After you hit the submit button and everything executes fine, the form doesn't reset. In other words, if you hit reload it trys to execute the script again with the previous form input.


#!/usr/bin/perl

# URL
my $me = "http://jack:5152/private-cgi/operator/userid1.pl";

#use strict;
#use CGI;
#CGI::ReadParse;
use CGI qw(:cgi-lib);
ReadParse();
use CGI::Carp qw(fatalsToBrowser);

&ReadParse(*form_data);

my $userid = $form_data{'userid'};
#error ("$command contains invalid characters") unless ($command =~ /^[A-z]+$/);
my $hidden = './oneuser.sh';
my $server_instance  = $form_data{'server_instance'};
#error("$server_instance contains invalid characters") unless ($server_instance  =~ /^[A-z]+$/);

my $command = "$hidden $userid $server_instance";
my $result = `$command`;

print &PrintHeader;

print<<"tab1";
<HTML>
<BODY BGCOLOR=FFFFFF>
<CENTER>
<TABLE BORDER=0 WIDTH=600 CELLSPACING=10>
<TR>
     <TD WIDTH =20></TD>
     <TD ALIGN=CENTER WIDTH =580>
     <FONT FACE="arial" SIZE=+2><B>Houston User Setup</B></FONT>
     <BR>
     <HR>
     </TD>
     <TD WIDTH =20></TD>
</TR>

<TR>
     <TD WIDTH =100></TD>
     <TD WIDTH=400>
     <FORM ACTION=$me METHOD=POST>
     <INPUT TYPE="text" NAME="userid" SIZE=42>
      <BR><BR>
      <select NAME="server_instance">
      <option value="cash_fidev">Dev
        <option value="cash_sbltest">Test
      </select>
      <BR><BR>

     <INPUT TYPE="submit"><INPUT TYPE="reset">
     
     </TD>
     <TD WIDTH =100></TD>
</TR>

<TR>
     <TD WIDTH =100></TD>
     <TD WIDTH =100>
     <HR>
     <FONT FACE="arial" SIZE=+1><B>Output:</B></FONT>
     </TD>
     <TD WIDTH =100></TD>
</TR>

<TR>
     <TD WIDTH =100></TD>
     <TD WIDTH =100 BGCOLOR=CCCCCC>
     <BR>
     <PRE>
     $result
     </PRE>
     <BR><BR>
     </TD>
     <TD WIDTH =100></TD>
</TR>
</TABLE>
</FORM>
</BODY>
</HTML>
tab1

#sub error {
#  my $text = shift;
#
#   print  $q->header(-type=>'text/plain');
#   print $text;
#   exit;
#}
0
 
LVL 1

Accepted Solution

by:
bkiahg earned 500 total points
ID: 10849637
Try:

#!/usr/bin/perl -w

# URL
my $me = "/test.cgi";
my ($command, $result, $hidden, $userid, $server_instance, $display);

use strict;
use CGI;
# use CGI::Pretty; # Uncomment if you want to read the source code a little better
# use CGI::Carp qw(fatalsToBrowser); # Uncomment if you start getting server errors again

my $q = new CGI;

if ($q->param('userid'))  {
      $userid = $q->param('userid');
      if ($userid =~ /^([a-zA-Z\d_\s]+)$/ )  {$userid = $1 }
      else  { error($userid) }

      $hidden = './oneuser.sh';

      my $server_instance  = $q->param('server_instance');
      if ($server_instance =~ /^([a-zA-Z\d_\s]+)$/ )  {$server_instance = $1 }
      else  { error($server_instance) }

      $command = "$hidden $userid $server_instance";
      # $result = `$command`;

      # edit this to change what is displayed in the gray text area
      $display = "Command = $command<br>Results = $result";
}

else  {
      # Change this for opening display
      $display = 'Welcome to the Houston User Setup!!'
}

print       $q->header(-type=>'text/html'),
      $q->start_html(      -title=>'Houston User Setup',
                  -bgcolor=>'#ffffff',
                  -onLoad=>'Javascript:document.houst.userid.select()'),
      $q->start_form( -name=>'houst',
                  -method=>'post',
                  -action=>$me),
      $q->table( {      -align=>'center',
                  -border=>0,
                  -width=>400,
                  -cellspacing=>10 },
                  $q->Tr( [
                        $q->td( { -align=>'center'},
                              [ $q->font({-face=>'arial', -size=>'+2'}, $q->b('Houston User Setup'))]),
                        $q->td( { -align=>'center'}, [ $q->hr]),
                        $q->td( [ $q->textfield(-name=>'userid', -size=>'42', -default=>'') ]),
                        $q->td( [ $q->popup_menu(-name      =>'server_instance',
                                          -values =>['cash_fidev','cash_sbltest'],                   # this is the actual argument passed to the server
                                          -labels      =>{cash_fidev => 'Dev', cash_sbltest => 'Test'}) ]),      # this is the corisponding label on the webpage
                        $q->td( [ $q->submit (-value=>'Submit') . ' ' . $q->reset ] ),
                        $q->td( [ $q->font ({-face=>'arial', -size=>'+1'}, $q->b('Output:'))]),
                        $q->td( { -bgcolor=>'#cccccc' }, [ $display ]),

                  ])
            ),
      $q->end_form,
      $q->end_html;


sub error {
  my $text = shift;

   print  $q->header(-type=>'text/plain');
   print "$text contains illegal characters. Only letter, numbers, underscores and whitespace is acceptable.";
   exit;
}

I apologize for this taking so long.  I was out of town for the last few days.  This is completely CGI.pm'ed.  The form has a sticky nature to it that defaults back to the submitted field.  I added a little javascript to ease this a little.
0
 
LVL 1

Expert Comment

by:bkiahg
ID: 10849705
Forgot to add that you need to uncomment $results = `$command`;

And you may wish to change

$display = "Command = $command<br>Results = $result";

to

$display = "Results = $result";
I was using it to see what was going on behind the scenes.  And you probably don't want other people to know whats going on behind the scenes.
0
 

Author Comment

by:mcabot
ID: 10851607
bkiahg, PERFECT!!!! exactly what I was looking for. Thank you!!
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Styling your websites can become very complex. Here I'll show how SASS can help you better organize, maintain and reuse your CSS code.
Browsers only know CSS so your awesome SASS code needs to be translated into normal CSS. Here I'll try to explain what you should aim for in order to take full advantage of SASS.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
HTML5 has deprecated a few of the older ways of showing media as well as offering up a new way to create games and animations. Audio, video, and canvas are just a few of the adjustments made between XHTML and HTML5. As we learned in our last micr…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now