Gossamer Forum
Home : General : Perl Programming :

checking file for data

Quote Reply
checking file for data
Hi,

I'm trying to check a txt file for a user inputed field before submitting a form. If the ID exists process the form if not go to error. I originally had it setup where each ID record was a seperate .txt file but just recently combined all the files to one txt file so now I'm not sure how to check one file. This works fine for the old setup:

&error('Not valid.') unless (open(FILE, "/pathto/$form{'ID'}.txt"));

But now the new file is just one pipe deliminated file similar to links:
1|more info|and more info
2|more info|and more info
3|more info|and more info

So I need to check the first field of each record (to make sure it matches what the user inputs) so using the example above, if the user inputs an ID of 2 it will process but if they enter 4 they'll go to the error page.....but not quite sure how to do it. Any ideas? Thanks.


Quote Reply
Re: checking file for data In reply to
my $file = "$FORM{'ID'}.txt";
my $formid = $FORM{'ID'};

open(FILE,"<$file") || die "Can't open $file:$!";
@file=<FILE>;
close FILE;

foreach $line (@file) {
chomp $line;
($id,$info,$moreinfo) = split(/\|/,$line);

if ($id eq $formid) {
&success;
}
else {
&error;
}
}


Paul Wilson.
http://www.wiredon.net/gt/
http://www.perlmad.com/
Quote Reply
Re: checking file for data In reply to
Nice dude, I'll give it a go....I'll let you know how it went. Thanks.

Quote Reply
Re: checking file for data In reply to
In Reply To:
my $file = "$FORM{'ID'}.txt";
my $formid = $FORM{'ID'};

open(FILE,"<$file") || die "Can't open $file:$!";
You should never take input from a user and use it in a system call such as an open command, without checking that data first.

That's a good way to get hacked severly :)

--mark


Installation support is provided via ICQ at UIN# 53788453. I will only respond on that number.
Quote Reply
Re: checking file for data In reply to
In Reply To:
That's a good way to get hacked severly :)
Cool. Can we have some examples? :-þ

Happy Coding,

--Drew
http://www.FindingHim.com
Quote Reply
Re: checking file for data In reply to
Im not sure but I thought he just meant using regex etc to check for unwanted characters.

However I would like to know how my code example could be hacked :)

Paul Wilson.
http://www.wiredon.net/gt/
http://www.perlmad.com/
Quote Reply
Re: checking file for data In reply to
Yeah..examples would be good Mark. Just thinking about this, I forgot to mention that I'm checking a data file which doesn't have the same values as the form, so I don't think it will work. So when it checks through the values: ($id,$info,$moreinfo) they won't match up. Unless I'm missing something here? Anyway, any thoughts would be great. Thanks all.

Quote Reply
Re: checking file for data In reply to
In Reply To:
So when it checks through the values: ($id,$info,$moreinfo) they won't match up. Unless I'm missing something here?
Yes it will work.....all that code is doing is splitting the values between every | and assigning them to the variables so you should have no problems. The field names don't need to be the same as the variables for it to work.

For example in your form you could have

Name
Email

....and then write this to the database like....

Bob|bob@url.com

.....but to check the database you could use...

($bla,$blabla) = split(/\|/),$line);

....and this would assign Bob to $bla and bob@url.com to $blabla so it makes no difference.

Am I making sense?

Paul Wilson.
http://www.wiredon.net/gt/
http://www.perlmad.com/
Quote Reply
Re: checking file for data In reply to
Ok..I gotcha, I thought I needed to check the values to make sure they match up first? Hmm, I'm going to give it a try right now...tell you if it works in a few.

Quote Reply
Re: checking file for data In reply to
Hi,

Yes it does check...

my $formid = $FORM{'ID'};

......assigns the users input to $formid and then if you notice, further down I used....

if ($id eq $formid) {

.....which checks the input against the ID in the file.

Paul Wilson.
http://www.wiredon.net/gt/
http://www.perlmad.com/
Quote Reply
Re: checking file for data In reply to
Yeah...I just caught that---I'm getting errors though. Not sure wtf is going on here. I'm going to try something else though...thanks, appreciate it.

Quote Reply
Re: checking file for data In reply to
What errors?

Paul Wilson.
http://www.wiredon.net/gt/
http://www.perlmad.com/
Quote Reply
Re: checking file for data In reply to
Hey, ok...here's part of the sub and what I'm trying to do, but I'm getting syntax errors:

&error('Unable to open.') unless (open PROCESS, ">$full{'path'}$userfile.txt");
my $file = "/pathtofile.txt";
my $formid = $form{'ID'};
open(FILE,"<$file") || die "Can't open $file:$!";
@file=<FILE>;
close FILE;
foreach $line (@file) {
chomp $line;
($info,$ID,$info) = split(/\|/,$line);
&error('ID Not Valid.') unless ($ID eq $formid);
my $pass = &generatepass;
print PROCESS "$pass\n$form{'mail'}\n$form{'name'}";
close PROCESS;
print "$form{'name'}, mail sent to $form{'mail'}.\n";
&send($form{'mail'}, $config{'admin'}, 'Your Info', "Here is your password: $pass\r\n");
}
else {
print "Incomplete. Go Back.\n";
}
}
else {
print "Not Available...Go Back\n";
}
}

See anything missing? I don't...and I'm not sure why there's an error. Thanks for your help.

Quote Reply
Re: checking file for data In reply to
ok, let's say you're taking input from a user and using it in the open statement.

I, as the user, decide to submit (no i will not provide real code) code to remove all files from the disk. That info that i pass in my variable doesn't get checked for bad stuff.

Now the open command gets executed, with it my malicious code, and suddenly no more server stuff.

Trust me, it's easy to do. Use the submitted data to close off the open command, and attache some maliciousness to it while the perl interpreter is executing system level calls.

bad bad bad.

--mark

Installation support is provided via ICQ at UIN# 53788453. I will only respond on that number.
Quote Reply
Re: checking file for data In reply to
Ugh looks a little messy.

Check you error log and this line too....

&send($form{'mail'}, $config{'admin'}, 'Your Info', "Here is your password: $pass\r\n");


Paul Wilson.
http://www.wiredon.net/gt/
http://www.perlmad.com/
Quote Reply
Re: checking file for data In reply to
Ok Mark, now that we've established that the code is not safe to use, how about a little more guidance.....or not, either way, no big deal. Paul, there is no problem with errors with any of the other code, as it currently works fine.....the problem is with integration of the new code...and unfortunately I don't have error logs (but that's a whole other issue I would prefer not to get into on this post). So anyway, if anyone sees the problem with the new code added, 'which is between the two &error statements' and feels like spreading some of their knowledge, that be great! Thanks.

Quote Reply
Re: checking file for data In reply to
A little more guidence in what respect? Cleaning it?

Best way is to make sure there are no undesireable characters in the string, before using it in system calls

Code:
use CGI;
my $q = CGI->new();

my $filename = $q->param('file');
die "Invalid characters in filename" unless $filename =~ /^([\w.-]+)$/;

$filename = $1; # This line takes it a step further by clearing the Taint-ing (-T mode)

# What that did was halt execution if the filename var contains
# any character other then letters, numbers, periods, or
# underscores. Modify the regex to suit your needs.
--mark

Installation support is provided via ICQ at UIN# 53788453. I will only respond on that number.
Quote Reply
Re: checking file for data In reply to
My code has no errors in it so you must have done something wrong.

The only thing you changed from my original code is this...

my $file = "/pathtofile.txt";

Try changing it back to what I suggested or double check the path.

The internal server error will be due to the wrong path to the file.


Paul Wilson.
http://www.wiredon.net/gt/
http://www.perlmad.com/
Quote Reply
Re: checking file for data In reply to
Mark, I'm just trying to get the code to work first before I even try adding yours, but thanks for the heads up...much appreciated. Paul, actually, I did change a little from what you originally posted. Look for this line &error('ID Not Valid.') unless ($ID eq $formid); That's about all I changed. It's not an internal server error....I think I'm just missing a bracket somewhere...... I posted the code to see if someone could spot it. I don't think there is anything wrong with the code you provided, I just think the problem is like I said above. Anyway, if it pops out at you let me know....thanks again.

Quote Reply
Re: checking file for data In reply to
Well it would help if you told us what error you ARE getting.

There is no missing bracket.

Paul Wilson.
http://www.wiredon.net/gt/
http://www.perlmad.com/
Quote Reply
Re: checking file for data In reply to
Oh, I thought I posted a message about this, but I guess not--well, I don't have error logs to check, so I don't know what the exact error is, but in my experience 99% of the time, when I get a 'Document Contains No Data' message from netscape it means that the script is missing a bracket, semi-colon, quote, etc. I call them syntax errors....I thought everyone else did too? Basically, there is something wrong with the code I posted above, (the path to the file is correct). All I can really say for sure is that if I remove the section between the two &error statements everything runs fine as normal. Anyway, if you have any other suggestions that would be great......if not don't worry about it.

Quote Reply
Re: checking file for data In reply to
There is no need to be like that and YES I know you don't have error logs but seeing as you said you had an error but it wasn't a 500 then I assumed you had some way of telling you had an error!!!!

Again, there is nothing wrong with the code I provided (in terms of functionality).

Good Luck.

Paul Wilson.
http://www.wiredon.net/gt/
http://www.perlmad.com/
Quote Reply
Re: checking file for data In reply to
Um....ok, be like what? Basically, what I'm saying is this. I know there is an error, because when I try to call the script via the browser I'm getting the message 'Document Contains No Data' and as I said, 99% of the time I get that error message from netscape it means that I goofed somewhere in the script and left out a bracket, semicolon etc. Do I know exactly what the error is in this situation? Obviously not, or I wouldn't be posting messages. I never said there was something wrong with the code you provided and I'm not asking for you to look at the code that you provided because I slightly changed it...instead I was requesting that someone look at the code that I placed about 6 posts up to see if I missed something when changing it. Not sure how else to explain myself, so I guess that's it. Thanks.