Hi again, gosh, this place is so usefull, and I really appreciate all the help I get here, without you all, I'd be totaly lost.

Anyway, Im trying to delete a file from the server, of couse I don't know how to write the right coding so what I've done is to rename the file to a null file name in the meantime, but Im hoping someone can actually tell me how to properly write the following to delete the file instead of renameing it.

$user = $FORM{'user'};
$photo = $FORM{'photo'};
$action = $FORM{'action'};

use DBI;
$dbh = DBI->connect("dbi:mysql:$mysqldatabase","$mysqlusername","$mysqlpassword") || die("Couldn't connect to database!\n");
print "Content-Type: text/html\n\n";
#&printheader;
&getprofilenumber;
&savedata;
&printconfirmation;
&printfooter;
$filename = $user;
chdir ("$memberimagesfolderpath");
rename ("$user","245tghyu4g3645y.gif");

You'll notice above that I have the rename ("$user","245tghyu4g3645y.gif");
when I should really have some way of deleting the file instead of just renaming it. Though it does work this way, I would prefer to just delete the file instead.

Also, Im trying to figure out a way of working within the following block of coding to check if the incoming file is a jpg or a gif and if not toss them an error message. I have looked at the upload mod in the resource center, but it has me totaly lost as how I could possibly mod the mod to work for my situation.

require "cgi-lib.pl";
$ret = &ReadParse;
print "Content-Type: text/html\n\n";
&CgiDie("Error in reading and parsing of CGI input") if !defined $ret;
&CgiDie("No data uploaded") if !$ret;

$in{'upfile'} =~ s/</</g;
$in{'upfile'} =~ s/>/>/g;

$uploaded = $in{'upfile'};
$filename = $member;

chdir ("$memberimagesfolderpath");
rename ("$uploaded","$filename");
$image = "$memberimagesfolderURI/$filename";


Any help is as usual greatly appreciated.

Harrison


"I've got if's pretty good, but that's about it"

unlink($user);

to find out if a gif is a gif the real way you open it and see if the first six characters are GIF89a

Jerry Su

Thanks Jerry,
I knew it had to do with unlink, I just wasn't sure how to accomplish it. Now I know for future, one more thing I know besides writing if statements.

Harrison

"I've got if's pretty good, but that's about it"

NO NO NO NO NO.

NEVER, EVER, and let me repeat once more *EVER*do ANY kind of system functions that involves user provided data without THOUGHROULY checking it first.

doing:

$user = $form{'user'};
unlink($user);

is unbelievably dangerous.

Check that inputted value for ANY illegal characters or whatever else criteria before doing any operations with it.

If the user was to input their username as ";...then something malicious you could have a LOT of damage done to your system.

I would suggest reading all perl documentation on Taint mode.

I'm sorry, I am not trying to direct these comments at any one person, but it is one of my BIG pet peeves when people use this kind of coding, or recommend it to others, without knowing the full consequences of the potential problems this will cause.

--mark

Installation support is provided via ICQ at UIN# 53788453. I will only respond on that number.

hehe i was only suggesting to use unlink.. i didn't know it'd be used like that..

if i knew a site had something like that in my code.. my username would be like.. '/' or 'c:\windows\'

:)


Jerry Su

Actually, that is taken care of way back at the beginning of the first script when they add a profile into the system, the only legal characters allowed for a username or in this case $user is a to z and nothing else, so I think Im pretty safe in assuming that this kind of malicious attempt would not be a vunerable problem in this particular case, since if someone tried to enter a username when they first registered as harrison; or / or /harrison, it would only come out as harrison in the first case, and be rejected in the second case since the / is stripped out and there is nothing left, and harrison in the third case. and if they entered c:\windows\ it would come out as cwindows

Also, I neglected to mention that we receive an email of all uploads for us to check, so we do see the username so if by chance something did get by us that was unusual, then we would manually ftp in and delete the file.

So, again I think Im pretty safe in this particular case, but thanks for the heads up.

Harrison


"I've got if's pretty good, but that's about it"

Can you give me an example coding of how to open the image file and read for the gif89?

Also, how then does one check for a true jpg file?

Thanks to all, you've all been very helpfull, and saved me hours and hours of frustration and really helped me to learn new perl.

Harrison


"I've got if's pretty good, but that's about it"

Username isn't the only spot.

$uploaded = $in{'upfile'};
$filename = $member;

chdir ("$memberimagesfolderpath");
rename ("$uploaded","$filename");

Again, you don't want ANY interaction with system functions with unchecked data.

--mark

Installation support is provided via ICQ at UIN# 53788453. I will only respond on that number.

Remember though, just because user was valid when they signed up, it doesn't mean it will be valid now. Don't assume that the user will follow your program page by page.

You can usually go directly to any part of a cgi script just by manipulating the input. For instance, if you have a program that does:

1. Display User Signup Form.
2. Check for Valid user + Signup
3. Display Upload Form
4. Upload file.

Now, it's usually quite easy to jump to step 3 by just passing in the right information. If your script assumes that the user has gone through 1 and 2, then it will trust the input -- big mistake!

Any input that comes from an outside source needs to be checked every single time before it is used -- double checked if it's used in a system call.

(btw, unlink a directory doesn't do anything, only works on files but still).

Cheers,

Alex

--
Gossamer Threads Inc.