From jhannah at omnihotels.com Mon Jul 11 11:08:05 2005 From: jhannah at omnihotels.com (Jay Hannah) Date: Mon, 11 Jul 2005 13:08:05 -0500 Subject: [Omaha.pm] 1 night vs. 17 nights Message-ID: <200507111806.j6BI6wic030214@omares-email.omnihotels.com> Oh, that's a neat little hack: my $nights_text = ($nights == 1) ? 'night' : 'nights'; $html .= "$rate $currency per night starting $date_text for $nights $nights_text.
"; j From jhannah at omnihotels.com Tue Jul 12 07:38:44 2005 From: jhannah at omnihotels.com (Jay Hannah) Date: Tue, 12 Jul 2005 09:38:44 -0500 Subject: [Omaha.pm] CGI.pm start_form() bug? I guess not... Message-ID: <200507121437.j6CEbZic013112@omares-email.omnihotels.com> Given this program: --- #!/usr/bin/perl use CGI qw( escapeHTML ); my $q = new CGI; print $q->header; print "x is " . $q->param("x") . "
\n", escapeHTML($q->start_form), "

\n"; $q->param("x", "one"); print "x is " . $q->param("x") . "
\n", escapeHTML($q->start_form), "

\n"; $q->param("x", "two"); print "x is " . $q->param("x") . "
\n", escapeHTML($q->start_form), "

\n"; --- Hitting it with this URL http://razorbill/~jhannah/index.pl?x=blah I was surprised by this output: --- x is blah

x is one x is two --- I thought that the 'action' URL should keep changing to reflect the new state of the variable x... So, down in HTML land... What happens if you POST to a form w/ parameters in the URL? Are the URL parms honored? What if the variable x is in both the URL AND the POST with different values? Which one does it honor? Testing in raw HTML... Given this form:
I was surprised that parms.pl[1] does NOT receive/see param x set to blah. As expected, though: given this form:
parms.pl will receive whatever you type into the textfield named x. What I learned today: You can have all the parameters you want in the querystring of the 'action' of a form (method="POST"), but they will all be ignored. Pay them no heed... Go figure! -grin- j [1] parms.pl source code (Dump all params to the screen (err... browser).) #!/usr/bin/perl use CGI; my $q = new CGI; print $q->header, "

Params you submitted:

"; foreach ($q->param) { print "$_: " . $q->param($_) . "
\n"; } From jay at jays.net Thu Jul 14 18:51:12 2005 From: jay at jays.net (Jay Hannah) Date: Thu, 14 Jul 2005 20:51:12 -0500 Subject: [Omaha.pm] http://perl.meetup.com - Omaha is #2! In-Reply-To: <297203B1AD107A438D2616D3A8E9B382E0FE32@DSAE2K.DSAD.AD.TAMU.EDU> References: <297203B1AD107A438D2616D3A8E9B382E0FE32@DSAE2K.DSAD.AD.TAMU.EDU> Message-ID: <6f45cc2179eddeee2b5bda9f4bc7639d@jays.net> Sorry for the month delay. Been out of country... On Jun 20, 2005, at 10:56, Fluhmann, Jeremy wrote: > L? Sadly, I?m the only one in the Meetup group.? I was the organizer, > but I guess after being inactive they took it away from me (even > though I?m the only member).? But it looks as if an organizer must pay > a monthly subscription now.? Is that correct? That's too bad. Ya, Meetup wants money now. AFAICT 80+% of the Meetup groups are dead now. At least around Omaha anyway. Dunno what the actual statistic is. Here @ Omaha Perl Mongers I talk to myself on this list occasionally and we have small monthly meetings, usually only missing one mtg a year. Rock starts, all. -grin- > I?m just waiting for support at pm.org to setup my web and MailMan > account. I don't see a group for you, and I don't see an open ticket. Did you read the FAQ? http://groups.pm.org/faq.html If you send another email to that address it should open a ticket for you. (I'm an admin volunteer.) Nice hearing from you! My last company (Viatel) (1) bought our a company in College Station, and then (2) promptly went bankrupt. Doh! (This was about 5/6 years ago.) Sorry about that... Small world. -grin- j From jay at jays.net Thu Jul 14 19:10:14 2005 From: jay at jays.net (Jay Hannah) Date: Thu, 14 Jul 2005 21:10:14 -0500 Subject: [Omaha.pm] One-liner regexp to check for password strength... In-Reply-To: <22962.24.252.28.96.1118895986.squirrel@24.252.28.96> References: <22962.24.252.28.96.1118895986.squirrel@24.252.28.96> Message-ID: <9da3b778266b695064916628af8daaa3@jays.net> ?? I was going through the archive and my Inbox and no one replied to this? I thought I did? hmmm... oh well, take2? -grin- On Jun 15, 2005, at 23:26, Daniel Linder wrote: > I'm looking for a Perl one-liner regexp that will check a given > password > string to see if it meets a 'strength' requiement. > > The tests are: > 1: Length >= 6 characters > 2a: Contains number(s) (0-9) > 2b: Contains lowercase letter(s) (a-z) > 2c: Contains uppercase letter(s) (A-Z) > 2d: Contains symbol character(s) (!@#$%^&*()-=_+`~\|":;<>,.?/ ... etc) > > A password is good if it meets rule #1 and three of the four in #2. Wow. I don't think you'll get a one liner to do all that. Not a readable one anyway. > At first glance a check such as /[a-z]+[A-Z]+[0-9]+/ could be a start, > but > it requires that the order of the lower case characters be before any > upper-case characters or numbers, plus it ignores the length > requirement. > > I've pretty much given up on a one-liner and this is the closest I can > come up with (ugly): > > #!/usr/bin/perl > > $PASSWD=shift; > > $LEN = length($PASSWD); > printf ("LEN: $LEN\n"); > > $NumDigits = ($PASSWD =~ tr/[0-9]*//); > printf ("NumDigits: $NumDigits\n"); > > $NumUpperCase = ($PASSWD =~ tr/[A-Z]*//); > printf ("NumUpperCase: $NumUpperCase\n"); > > $NumLowerCase = ($PASSWD =~ tr/[a-z]*//); > printf ("NumLowerCase: $NumLowerCase\n"); > > $NumSpecial = ($PASSWD =~ > tr/[\!\@\#\$\%\^\&\*\(\)\_\+\-\=\{\}\[\]\\\|;\':\"\,\.\/\<\>\?\~\`]*/ > /); > printf ("NumSpecial: $NumSpecial\n"); > > if ( ( $LEN >= 6 ) > and > ( ($NumDigits?1:0) + ($NumUpperCase?1:0) + ($NumLowerCase?1:0) + > ($NumSpecial?1:0) >= 3 ) > ) { > printf ("Password \"%s\" passed.\n", $PASSWD); > } > > Dan Looks good to me! Maybe it could be cleaner? Something like this? (Not tested.) #!/usr/bin/perl $_ = shift; $points++ if (/[0-9]/); $points++ if (/[A-Z]/); $points++ if (/[a-z]/); $points++ if (/[\!\@\#\$\%\^\&\*\(\)\_\+\-\=\{\}\[\]\\\|;\':\"\,\.\/\<\>\?\~\`]/); die "Failed" unless (length($_) >=6 and $points >=3); print "Yay! $_ passed!\n"; Good/bad? HTH, j From jay at jays.net Thu Jul 14 19:12:00 2005 From: jay at jays.net (Jay Hannah) Date: Thu, 14 Jul 2005 21:12:00 -0500 Subject: [Omaha.pm] One-liner regexp to check for password strength... In-Reply-To: <9da3b778266b695064916628af8daaa3@jays.net> References: <22962.24.252.28.96.1118895986.squirrel@24.252.28.96> <9da3b778266b695064916628af8daaa3@jays.net> Message-ID: <4fd2f4c7c4423e91bc476ed2f05f7edb@jays.net> > The tests are: > 1: Length >= 6 characters > 2a: Contains number(s) (0-9) > 2b: Contains lowercase letter(s) (a-z) > 2c: Contains uppercase letter(s) (A-Z) > 2d: Contains symbol character(s) (!@#$%^&*()-=_+`~\|":;<>,.?/ ... etc) > > A password is good if it meets rule #1 and three of the four in #2. P.S. That's the MS Active Directory test set isn't it? I think that this thread has a cleaner set than what I wrote months ago -- I'll have to look at updating whatever it was I wrote way back when... -grin- j From jay at jays.net Thu Jul 14 19:13:55 2005 From: jay at jays.net (Jay Hannah) Date: Thu, 14 Jul 2005 21:13:55 -0500 Subject: [Omaha.pm] quick n dirty rand() In-Reply-To: <20050610015003.GA6939@petdance.com> References: <200506092303.j59N3Qnn025190@omares-email.omnihotels.com> <20050610015003.GA6939@petdance.com> Message-ID: On Jun 09, 2005, at 20:50, Andy Lester wrote: > On Thu, Jun 09, 2005 at 06:04:16PM -0500, Jay Hannah > (jhannah at omnihotels.com) wrote: >> Before >> >> my $rand = int(rand(3))+1; >> my $imagename = "sean.jpg"; >> $imagename = "jay.jpg" if ($rand == 2); >> $imagename = "airplane.jpg" if ($rand == 3); >> >> After >> >> my $imagename = ("sean.jpg", "jay.jpg", "airplane.jpg")[(int rand >> 3)]; > > Better yet: > > my @images = qw( sean.jpg jay.jpg airplane.jpg ); > my $random_image = $images[rand @images]; Thanks! We ended up putting this "in production": my $imagename = ("sean.jpg", "jay.jpg", "airplane.jpg")[(int rand 3)]; Grin, j From jay at jays.net Thu Jul 14 19:38:57 2005 From: jay at jays.net (Jay Hannah) Date: Thu, 14 Jul 2005 21:38:57 -0500 Subject: [Omaha.pm] [pm_groups] Getting To Know You In-Reply-To: <200507131804.43919.george@metaart.org> References: <20050713103704.GA2293@buffy.mag-sol.com> <200507131804.43919.george@metaart.org> Message-ID: > On Wednesday 13 July 2005 3:37 am, Dave Cross wrote: >> Perl Mongers groups are (or, at least, should be) one of the most >> public >> parts of the Perl community. I'm interested in hearing what you do to >> >> * Encourage more people along to your meetings. -snip!- I'm threatening to make a little list of CS professors/instructors/whatever around town (or at least department heads) and send out a little "hey, we're here to help and we're a free resource for students if they're interested" sort of intro email... Maybe I should - Print up little fliers teachers could hand out if they wanted? - Offer to take the profs out to lunch to introduce myself? I dunno, I just want to do whatever to help anyone who's looking for some. I feel I owe the man who introduced me to Perl back in 1993 (I've been making a living with it ever since) and the Perl community at large, and want to help the next generation see what Perl can do. There's lots of language choices out there -- seems to me Perl should be in the list of options for young geeks getting started. If they see it and its not for them, more power to them. Wish me luck, j Omaha.pm From jeremy at stuact.tamu.edu Fri Jul 15 06:54:05 2005 From: jeremy at stuact.tamu.edu (Fluhmann, Jeremy) Date: Fri, 15 Jul 2005 08:54:05 -0500 Subject: [Omaha.pm] http://perl.meetup.com - Omaha is #2! Message-ID: <297203B1AD107A438D2616D3A8E9B382E0FE4D@DSAE2K.DSAD.AD.TAMU.EDU> Thanks for the reply. One of these days I think I'm going to leave the country, too. :) Hooray! I now have an account on the pm.org server: http://brazosvalley.pm.org I may have to do like you and talk to myself on the list (so far, I'm the only one on it). Thanks again for the reply... Jeremy -----Original Message----- From: omaha-pm-bounces at pm.org [mailto:omaha-pm-bounces at pm.org] On Behalf Of Jay Hannah Sent: Thursday, July 14, 2005 8:51 PM To: Perl Mongers of Omaha, Nebraska USA Subject: Re: [Omaha.pm] http://perl.meetup.com - Omaha is #2! Sorry for the month delay. Been out of country... On Jun 20, 2005, at 10:56, Fluhmann, Jeremy wrote: > L? Sadly, I'm the only one in the Meetup group.? I was the organizer, > but I guess after being inactive they took it away from me (even > though I'm the only member).? But it looks as if an organizer must pay > a monthly subscription now.? Is that correct? That's too bad. Ya, Meetup wants money now. AFAICT 80+% of the Meetup groups are dead now. At least around Omaha anyway. Dunno what the actual statistic is. Here @ Omaha Perl Mongers I talk to myself on this list occasionally and we have small monthly meetings, usually only missing one mtg a year. Rock starts, all. -grin- > I'm just waiting for support at pm.org to setup my web and MailMan > account. I don't see a group for you, and I don't see an open ticket. Did you read the FAQ? http://groups.pm.org/faq.html If you send another email to that address it should open a ticket for you. (I'm an admin volunteer.) Nice hearing from you! My last company (Viatel) (1) bought our a company in College Station, and then (2) promptly went bankrupt. Doh! (This was about 5/6 years ago.) Sorry about that... Small world. -grin- j _______________________________________________ Omaha-pm mailing list Omaha-pm at pm.org http://mail.pm.org/mailman/listinfo/omaha-pm From jhannah at omnihotels.com Fri Jul 15 07:46:25 2005 From: jhannah at omnihotels.com (Jay Hannah) Date: Fri, 15 Jul 2005 09:46:25 -0500 Subject: [Omaha.pm] xargs is kinda handy! Message-ID: <200507151445.j6FEjEic012760@omares-email.omnihotels.com> xargs is kinda handy! > ls *pm | xargs -n 1 perl -c Common.pm syntax OK RR2_1.pm syntax OK SG5_1.pm syntax OK SG5_2.pm syntax OK SG5.pm syntax OK SG6_1_1.pm syntax OK SG6_1_2.pm syntax OK SG6_1_3.pm syntax OK SG6_1_4.pm syntax OK SG6_1_5.pm syntax OK SG6_1_6.pm syntax OK SG6_1_7.pm syntax OK SG6_1.pm syntax OK SG6_2_1.pm syntax OK SG6_2.pm syntax OK SG6.pm syntax OK SG.pm syntax OK SI1.pm syntax OK SI.pm syntax OK Saved me from having to spend 2 minutes writing a Perl script there. Grin, j From jduche at creighton.edu Fri Jul 15 08:59:13 2005 From: jduche at creighton.edu (Virtual Joe) Date: Fri, 15 Jul 2005 10:59:13 -0500 (CDT) Subject: [Omaha.pm] xargs is kinda handy! In-Reply-To: <200507151445.j6FEjEic012760@omares-email.omnihotels.com> References: <200507151445.j6FEjEic012760@omares-email.omnihotels.com> Message-ID: The "W" and "w" options are also useful when just trying to clean up code: ls *pl | xargs -n 1 perl -wc -c check syntax only (runs BEGIN and CHECK blocks) -w enable many useful warnings (RECOMMENDED) -W enable all warnings Although if you have a ton o' scripts it might be useful to pipe it into a file to look at when convenient. Keep the tips coming! They're great. On Fri, 15 Jul 2005, Jay Hannah wrote: > > xargs is kinda handy! > >> ls *pm | xargs -n 1 perl -c > Common.pm syntax OK > RR2_1.pm syntax OK > SG5_1.pm syntax OK > SG5_2.pm syntax OK > SG5.pm syntax OK > SG6_1_1.pm syntax OK > SG6_1_2.pm syntax OK > SG6_1_3.pm syntax OK > SG6_1_4.pm syntax OK > SG6_1_5.pm syntax OK > SG6_1_6.pm syntax OK > SG6_1_7.pm syntax OK > SG6_1.pm syntax OK > SG6_2_1.pm syntax OK > SG6_2.pm syntax OK > SG6.pm syntax OK > SG.pm syntax OK > SI1.pm syntax OK > SI.pm syntax OK > > Saved me from having to spend 2 minutes writing a Perl script there. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Joe Ducharme jduche at creighton.edu "Time flies like an arrow. Fruit flies like a banana." =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= From jhannah at omnihotels.com Fri Jul 15 13:00:27 2005 From: jhannah at omnihotels.com (Jay Hannah) Date: Fri, 15 Jul 2005 15:00:27 -0500 Subject: [Omaha.pm] Template Toolkit syntax choices, whitespace Message-ID: <200507151959.j6FJxHic012064@omares-email.omnihotels.com> Ever played with Template Toolkit? If you're accustomed to Perl 5 syntax, TT has multiple syntaxes to choose from, all different from Perl 5 syntax. For instance, I just changed this TT code: [% FOREACH selection = options %] [% IF display_type == 'code' %] [% IF selection.code == default %] [% ELSE %] [% END %] [% ELSE %] [% IF selection.code == default OR q.param(selectname) == selection.code %] [% ELSE %] [% END %] [% END %] [% END %] To this TT code: [%- selected = ""; value = selection.desc; FOREACH selection = options; IF display_type == 'code'; value = selection.code; IF selection.code == default; selected = "selected"; END; ELSE; IF selection.code == default OR q.param(selectname) == selection.code; selected = "selected"; END; END; " \n"; selected = ""; END; -%] Those two snippets do almost the same thing. The primary difference is the first outputs tons of unintentional whitespace. In the second you don't have to use [% %] everywhere... (I tried fighting the whitespace with [%- -%] everywhere to no avail.) After 2 weeks of full time TT, I think I'm starting to get pretty good at it. It's does some really amazing things if you're building large, extremely modular websites. The book says its good for other stuff too. Looks like our total TT footprint is 15K lines of control code and 8K lines of TT templates... woof! j From jay at jays.net Fri Jul 15 13:09:24 2005 From: jay at jays.net (Jay Hannah) Date: Fri, 15 Jul 2005 15:09:24 -0500 Subject: [Omaha.pm] Getting To Know You In-Reply-To: <1F7C0C8F4BD7C54A8BC55012FEF3DF6D0302E935@omaexc11.americas.cpqcorp.net> References: <1F7C0C8F4BD7C54A8BC55012FEF3DF6D0302E935@omaexc11.americas.cpqcorp.net> Message-ID: <211f04d585cbd4ac541f0107ecbb0a71@jays.net> On Jul 15, 2005, at 10:03, Miller, Scott L (Omaha Networks) wrote: > I'd be interested on being on your list of "resources". I see the Omaha Perl Mongers, all of us, as the resource pool. > I'd do perl from a non-web point of view and add 'how to design, > implement, and troubleshoot simple to enterprise level networks'. Each of us are experienced in our own niches, so hopefully we can help people across a wide range of subjects/needs/desires. Seems to me we should spread the word to the Omaha CS communities a little and see if any young'ins are interested. Come to the Omaha Linux User Group InstallFest tomorrow! Always a good time! http://olug.org/ j From jay at jays.net Fri Jul 15 13:12:22 2005 From: jay at jays.net (Jay Hannah) Date: Fri, 15 Jul 2005 15:12:22 -0500 Subject: [Omaha.pm] http://perl.meetup.com - Omaha is #2! In-Reply-To: <297203B1AD107A438D2616D3A8E9B382E0FE4D@DSAE2K.DSAD.AD.TAMU.EDU> References: <297203B1AD107A438D2616D3A8E9B382E0FE4D@DSAE2K.DSAD.AD.TAMU.EDU> Message-ID: <07dbe91585c1c1304f69adccd1a783e9@jays.net> On Jul 15, 2005, at 8:54, Fluhmann, Jeremy wrote: > I may have to do like you and talk to myself on the list (so far, I'm > the only one on it). I look at it as a healthy break from most evenings/weekends -- my wife talking to me nonstop. -grin- She's not on this list, is she? Laugh, j From brendonsmith at seacloud9.org Fri Jul 15 14:32:11 2005 From: brendonsmith at seacloud9.org (brendonsmith@seacloud9.org) Date: Fri, 15 Jul 2005 14:32:11 -0700 Subject: [Omaha.pm] http://perl.meetup.com - Omaha is #2! Message-ID: You guys are welcome to use http://i-create.org forms. I have been working on creating a friends networking service. Check it out. On Fri Jul 15 13:12 , Jay Hannah sent: >On Jul 15, 2005, at 8:54, Fluhmann, Jeremy wrote: >> I may have to do like you and talk to myself on the list (so far, I'm >> the only one on it). > >I look at it as a healthy break from most evenings/weekends -- my wife >talking to me nonstop. -grin- > >She's not on this list, is she? > >Laugh, > >j > >_______________________________________________ >Omaha-pm mailing list >Omaha-pm at pm.org >http://mail.pm.org/mailman/listinfo/omaha-pm > From dan at linder.org Fri Jul 15 15:19:38 2005 From: dan at linder.org (Daniel Linder) Date: Fri, 15 Jul 2005 17:19:38 -0500 (CDT) Subject: [Omaha.pm] One-liner regexp to check for password strength... In-Reply-To: <4fd2f4c7c4423e91bc476ed2f05f7edb@jays.net> References: <22962.24.252.28.96.1118895986.squirrel@24.252.28.96> <9da3b778266b695064916628af8daaa3@jays.net> <4fd2f4c7c4423e91bc476ed2f05f7edb@jays.net> Message-ID: <21908.24.252.28.96.1121465978.squirrel@24.252.28.96> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dan Linder wrote: >> The tests are: >> 1: Length >= 6 characters >> 2a: Contains number(s) (0-9) >> 2b: Contains lowercase letter(s) (a-z) >> 2c: Contains uppercase letter(s) (A-Z) >> 2d: Contains symbol character(s) (!@#$%^&*()-=_+`~\|":;<>,.?/ ... etc) >> >> A password is good if it meets rule #1 and three of the four in #2. Jay Hannah said: > P.S. That's the MS Active Directory test set isn't it? I think that > this thread has a cleaner set than what I wrote months ago -- I'll have > to look at updating whatever it was I wrote way back when... -grin- It's actually a made-up 'worst case' scenario for a general password checking section I was helping a co-worker work on. The system he was working in uses Perl on the back-end to do the check, but the regexp enabled control box is limited to one line long. I suppose I could try to put the code I came up with on one long line... :) Dan - - - - - "Wait for that wisest of all counselors, time." -- Pericles "I do not fear computer, I fear the lack of them." -- Isaac Asimov GPG fingerprint:9EE8 ABAE 10D3 0B55 C536 E17A 3620 4DCA A533 19BF -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFC2DZ6NiBNyqUzGb8RAsBcAJ9ygwI+/+8CRc96FtEracjjGKdg6gCfWMLy 8Jy/cW/n2xjK8WulWa4imMo= =N8u3 -----END PGP SIGNATURE----- From bwiese at cotse.com Fri Jul 15 16:26:08 2005 From: bwiese at cotse.com (Brian Wiese) Date: Fri, 15 Jul 2005 19:26:08 -0400 Subject: [Omaha.pm] Getting To Know You In-Reply-To: <211f04d585cbd4ac541f0107ecbb0a71@jays.net> References: <1F7C0C8F4BD7C54A8BC55012FEF3DF6D0302E935@omaexc11.americas.cpqcorp.net> <211f04d585cbd4ac541f0107ecbb0a71@jays.net> Message-ID: <42D84610.7010806@cotse.com> Jay Hannah wrote: >On Jul 15, 2005, at 10:03, Miller, Scott L (Omaha Networks) wrote: > > >>I'd be interested on being on your list of "resources". >> >>I'd do perl from a non-web point of view and add 'how to design, >>implement, and troubleshoot simple to enterprise level networks'. >> >> I've just gotten the bug to get into Perl again for networking, and am looking to purchase "Programming the Network in Perl" now (finally after dreaming about it for 2 years) http://glasnost.itcarlow.ie/~barryp/index.html -- the authors class in Ireland I'd like to take http://www.linuxjournal.com/article/6296 -- review >Come to the Omaha Linux User Group InstallFest tomorrow! Always a good >time! > > http://olug.org/ > Of course I'd recommend that too. Hope everyone has fun! I should be back in Nebraska for the September meeting hopefully. -- bwiese[at]cotse.com | brianwiese.net | 402.297.9392 "What we do in life echoes in eternity" - Gladiator From jay at jays.net Sat Jul 16 15:32:43 2005 From: jay at jays.net (Jay Hannah) Date: Sat, 16 Jul 2005 17:32:43 -0500 Subject: [Omaha.pm] perldoc -l Message-ID: Oh cool... $ perldoc -l CGI /System/Library/Perl/5.8.1/CGI.pm Now I can stop doing recursive finds to find module X... j From jay at jays.net Sun Jul 17 21:30:14 2005 From: jay at jays.net (Jay Hannah) Date: Sun, 17 Jul 2005 23:30:14 -0500 Subject: [Omaha.pm] Mtg! Thr 7/21 7pm Message-ID: <72412254be2d93cb0dd5f056a2a337d4@jays.net> It's that time of month again! Jay'll present misc Template Toolkit gadgets unless someone else has a topic request or wants to present something cool they've done lately. http://omaha.pm.org/ See you there! j From jhannah at omnihotels.com Mon Jul 18 12:34:39 2005 From: jhannah at omnihotels.com (Jay Hannah) Date: Mon, 18 Jul 2005 14:34:39 -0500 Subject: [Omaha.pm] CGI.pm start_form() bug? I guess not... In-Reply-To: <200507122106.j6CL6Mid015663@omares-email.omnihotels.com> Message-ID: <200507181933.j6IJXRic027382@omares-email.omnihotels.com> From: Kenn [mailto:kthompson at omnihotels.com] > Isn't this (http://tinyurl.com/8yvs8) essentially saying you can both parse > the query string AND read the form post vars? Indeed. Good catch. It appears that that author and the author of CGI.pm disagree. Perhaps it is a CGI.pm bug after all? I'm too lazy to look and see what w3c.org has to say about mixing POST and querystrings... j From jhannah at omnihotels.com Wed Jul 20 10:06:00 2005 From: jhannah at omnihotels.com (Jay Hannah) Date: Wed, 20 Jul 2005 12:06:00 -0500 Subject: [Omaha.pm] grep hack. better? worse? (faster?) Message-ID: <200507201704.j6KH4Zic028411@omares-email.omnihotels.com> Before my $sga = $o_ra->get_sga; if ($sga) { my $sga = join "|",@{$sga}; $sga.="|"; next if ($sga !~ /78/ and $o_sbc2->get_disp_line1 =~ /WEB SPECIAL/); } After next if ( $o_sbc2->get_disp_line1 =~ /WEB SPECIAL/ and not grep { $_ eq "78" } @$o_ra->get_sga ); Not tested. j From jhannah at omnihotels.com Thu Jul 21 15:10:49 2005 From: jhannah at omnihotels.com (Jay Hannah) Date: Thu, 21 Jul 2005 17:10:49 -0500 Subject: [Omaha.pm] best practice: podchecker In-Reply-To: Message-ID: <200507212209.j6LM9aic031485@omares-email.omnihotels.com> From: Andy Lester > > If your work has a test suite with it, you can also use the standard > > t/pod.t. Here's one from WWW::Mechanize: > > > > http://search.cpan.org/src/PETDANCE/WWW-Mechanize-1.13_01/t/pod.t Sweet... After 30m correcting 30 some classes w/ POD glitches we now have another 1,404 tests in our test suite. > perl -e 'use Test::Harness; undef $Test::Harness::switches; runtests(@ARGV)' t/pod.t t/pod....ok All tests successful. Files=1, Tests=1404, 3 wallclock secs ( 2.46 cusr + 0.19 csys = 2.65 CPU) Nothing like padding your test suite stats. -grin- Probably helped my big pod2html dump on our Intranet too. j From andy at petdance.com Thu Jul 21 15:15:39 2005 From: andy at petdance.com (Andy Lester) Date: Thu, 21 Jul 2005 17:15:39 -0500 Subject: [Omaha.pm] best practice: podchecker In-Reply-To: <200507212209.j6LM9aic031485@omares-email.omnihotels.com> References: <200507212209.j6LM9aic031485@omares-email.omnihotels.com> Message-ID: <20050721221539.GB17650@petdance.com> On Thu, Jul 21, 2005 at 05:10:49PM -0500, Jay Hannah (jhannah at omnihotels.com) wrote: > > perl -e 'use Test::Harness; undef $Test::Harness::switches; runtests(@ARGV)' t/pod.t > t/pod....ok > All tests successful. > Files=1, Tests=1404, 3 wallclock secs ( 2.46 cusr + 0.19 csys = 2.65 CPU) You mean prove t/pod.t > Nothing like padding your test suite stats. -grin- It's hardly padding. POD is crucial. -- Andy Lester => andy at petdance.com => www.petdance.com => AIM:petdance From jay at jays.net Thu Jul 21 15:39:18 2005 From: jay at jays.net (Jay Hannah) Date: Thu, 21 Jul 2005 17:39:18 -0500 Subject: [Omaha.pm] best practice: podchecker In-Reply-To: <20050721221539.GB17650@petdance.com> References: <200507212209.j6LM9aic031485@omares-email.omnihotels.com> <20050721221539.GB17650@petdance.com> Message-ID: On Jul 21, 2005, at 5:15 PM, Andy Lester wrote: > On Thu, Jul 21, 2005 at 05:10:49PM -0500, Jay Hannah > (jhannah at omnihotels.com) wrote: >>> perl -e 'use Test::Harness; undef $Test::Harness::switches; >>> runtests(@ARGV)' t/pod.t >> t/pod....ok >> All tests successful. >> Files=1, Tests=1404, 3 wallclock secs ( 2.46 cusr + 0.19 csys = >> 2.65 CPU) > > You mean > > prove t/pod.t What is that? I don't know anything about distributing Perl code, if that's a distribution thing. I've never prepared any Perl for CPAN or anything like that, it all just lives in CVS here and we do checkouts. >> ike padding your test suite stats. -grin- > > It's hardly padding. POD is crucial. Sure, but only 474 of the 1404 "POD files" that Test::Pod detects actually have any POD in them. j From andy at petdance.com Thu Jul 21 15:45:10 2005 From: andy at petdance.com (Andy Lester) Date: Thu, 21 Jul 2005 17:45:10 -0500 Subject: [Omaha.pm] best practice: podchecker In-Reply-To: References: <200507212209.j6LM9aic031485@omares-email.omnihotels.com> <20050721221539.GB17650@petdance.com> Message-ID: <20050721224510.GD17650@petdance.com> On Thu, Jul 21, 2005 at 05:39:18PM -0500, Jay Hannah (jay at jays.net) wrote: > > prove t/pod.t > > What is that? Run "prove --help" and "prove --man", assuming you have a reasonably recent version of Test::Harness. Then you can look at the slides for my lightning talk "Start Using Prove" at http://petdance.com/perl/use-prove-lt.pdf > I don't know anything about distributing Perl code, if that's a > distribution thing. I've never prepared any Perl for CPAN or anything > like that, it all just lives in CVS here and we do checkouts. Nope, prove very specifically does NOT need a makefile, and is meant exactly for situations like yours. xoxo, Andy -- Andy Lester => andy at petdance.com => www.petdance.com => AIM:petdance From jay at jays.net Thu Jul 21 16:14:09 2005 From: jay at jays.net (Jay Hannah) Date: Thu, 21 Jul 2005 18:14:09 -0500 Subject: [Omaha.pm] best practice: podchecker In-Reply-To: <20050721224510.GD17650@petdance.com> References: <200507212209.j6LM9aic031485@omares-email.omnihotels.com> <20050721221539.GB17650@petdance.com> <20050721224510.GD17650@petdance.com> Message-ID: <08632c254b596f72e598cb7f2e07ffc2@jays.net> On Jul 21, 2005, at 5:45 PM, Andy Lester wrote: > Then you can look at the slides for my lightning talk "Start Using > Prove" > at http://petdance.com/perl/use-prove-lt.pdf !!! Before perl -e 'use Test::Harness; undef $Test::Harness::switches; runtests(@ARGV)' `find ./ -name "*.t"` After prove -r . Cool. Thanks! j From jhannah at omnihotels.com Mon Jul 25 08:41:42 2005 From: jhannah at omnihotels.com (Jay Hannah) Date: Mon, 25 Jul 2005 10:41:42 -0500 Subject: [Omaha.pm] Spreadsheet::WriteExcel hack Message-ID: <200507251540.j6PFeZic025458@omares-email.omnihotels.com> Given a text file like this: ALERT 1003417647|2005-05-06 13:07:03| |AMELIA|PITDTN| ALERT 1003502312|2005-05-26 15:21:27| |BG|CLTDTN| Separate the data into N new MS-Excel spreadsheets -- one per the value of column 4 ("PITDTN", etc.). So, you should end up with a PITDTN.xls Excel spreadsheet, a CLTDTN.xls spreadsheet, etc. (In this case, using a reference for $row was silly and caused unnecessary debug time.) j #!/usr/bin/perl use strict; use Spreadsheet::WriteExcel; my %xlss; open (IN, "alerts_only"); while () { # ALERT 1003417647|2005-05-06 13:07:03| |AMELIA|PITDTN| # ALERT 1003502312|2005-05-26 15:21:27| |BG|CLTDTN| chomp; s/^ALERT //; my @l = split /\|/; my $prop = $l[4]; unless ($xlss{$prop}) { my $wkb = Spreadsheet::WriteExcel->new("$prop.xls"); my $wks = $wkb->add_worksheet(); $xlss{$prop}{wkb} = $wkb; $xlss{$prop}{wks} = $wks; my $row = 0; $xlss{$prop}{row} = \$row; } my $wkb = $xlss{$prop}{wkb}; my $wks = $xlss{$prop}{wks}; my $row = $xlss{$prop}{row}; for (0..4) { $wks->write($$row, $_, $l[$_]); } $$row++; } close IN; foreach my $prop (keys %xlss) { $xlss{$prop}{wkb}->close; } From jay at jays.net Tue Jul 26 22:30:28 2005 From: jay at jays.net (Jay Hannah) Date: Wed, 27 Jul 2005 00:30:28 -0500 Subject: [Omaha.pm] Fwd: [pm_admins] XML::LibXML choking on &oum; Message-ID: This is cool stuff, so I have to log it into our archive :) j From: Robert Spier Date: July 26, 2005 11:27:21 PM CDT To: Jay Hannah Cc: Perl Monger Admins Subject: Re: [pm_admins] XML::LibXML choking on &oum; > ./perl_mongers.xml:16445: parser error : Entity 'oum' not defined > Michel Kr&oum;ll > Thoughts? I'm going to take out whatever the fancy &oum; character is > supposed to be. Doesn't seem to render in my web browser anyway... That's not valid barebones XML. XML only declares 5 internal entities. http://www.xml.com/pub/a/98/08/xmlqna1.html#INTENT HTML on the other hand, declares many: http://www.w3.org/TR/REC-html40/sgml/entities.html &oum; could be declared as an eternal entity.. but lets not go there. I'm guessing &oum; is a typo for the HTML ö which in XML would be ö -R From jimbo at radiks.net Wed Jul 27 19:42:28 2005 From: jimbo at radiks.net (Jim Lawless) Date: Wed, 27 Jul 2005 21:42:28 -0500 Subject: [Omaha.pm] New to the Omaha.pm list... Message-ID: <3.0.3.32.20050727214228.006ae7d0@radiks.net> Good evening, all. I just joined and wanted to introduce myself. Although I primarily use Java-oriented tools during the day, I've been a Perl programmer for just over 11 years. My biggest Perl claim-to-fame, was placing 2nd in one of The Perl Journal's Obfuscated Perl Coding contests: http://www.foo.be/docs/tpj/issues/vol2_3/tpj0203-0012.html The theory of operation of my entry can be found here: http://www.radiks.net/~jimbo/demented/obperl.htm For those who haven't nodded off to sleep whilst reading my first post, here's a more comprehensive list of items I've written that have appeared in prominent tech publications. ( Including the first CGI article in print in the pages of a DDJ special edition. Okay, there was another CGI article in the issue, but *ours* were the first ones in print. ) http://www.radiks.net/~jimbo/articles.htm I look forward to chatting with you all about "old" Perl, OO Perl, Perl 6 under Parrot, and some of the kooky CGI tricks I've done using Perl. ( A Perl CGI in ".zip" clothing, a web-page hit-counter that generates a GIF without using any LZW compression... ) I hope to meet some of you at upcoming meetings. Jim Lawless http://www.radiks.net/~jimbo $y=151502483; while($x=$y%113) { print sprintf("%c",$x); $y=int($y/113); } From jay at jays.net Wed Jul 27 20:20:20 2005 From: jay at jays.net (Jay Hannah) Date: Wed, 27 Jul 2005 22:20:20 -0500 Subject: [Omaha.pm] New to the Omaha.pm list... In-Reply-To: <3.0.3.32.20050727214228.006ae7d0@radiks.net> References: <3.0.3.32.20050727214228.006ae7d0@radiks.net> Message-ID: On Jul 27, 2005, at 9:42 PM, Jim Lawless wrote: > Good evening, all. I just joined and wanted to introduce myself. Nice to meet you! I hope you can make it out to some meetings -- you'd up our average attendance by 33% or so! -grin- (oh... you should add your bio to our wiki!) > Although I primarily use Java-oriented tools during the day, I've been > a Perl programmer for just over 11 years. I claim 1993 as my part-time Perl beginnings, but I took breaks in MS ASP and Informix 4GL. > My biggest Perl claim-to-fame, was placing 2nd in one of The Perl > Journal's Obfuscated Perl Coding contests: > > http://www.foo.be/docs/tpj/issues/vol2_3/tpj0203-0012.html That's awesome! Congrats! How long did that take you? I love Felix's intro on that web site. I've added you to our Past Events of Note list. We need all the Perl fame we can leech! -grin- > ( Including the first > CGI article in print in the pages of a DDJ special edition. Okay, > there was another CGI article in the issue, but *ours* were the > first ones in print. ) > > http://www.radiks.net/~jimbo/articles.htm Do you have a soft copy of the article? > I look forward to chatting with you all about "old" Perl, OO Perl, > Perl 6 under Parrot, and some of the kooky CGI tricks I've done > using Perl. ( A Perl CGI in ".zip" clothing, a web-page hit-counter > that generates a GIF without using any LZW compression... ) I don't like to call it "old Perl" when my boss asks. Wouldn't want him to think we've invested heavily in poor language selections. -grin- Of course we've got more OO Perl than you can shake a stick at nowadays, so maybe we'll slide. Can you do a presentation for our next meeting? I'd love to hear an intro (demo?) of Perl 6 / Parrot, and have someone explain to me why a simple Perl hacker like me should care. Are you following the Perl 6 scalliwag at all? I haven't kept up this year. > I hope to meet some of you at upcoming meetings. Ditto! I'm buying @ SIG-BEER. I've heard its good to bribe newcomers. -grin- > $y=151502483; > while($x=$y%113) { print sprintf("%c",$x); $y=int($y/113); } Did you know there's actually a simpler way to write that? -poke- Again, Welcome! j From jimbo at radiks.net Wed Jul 27 20:55:57 2005 From: jimbo at radiks.net (Jim Lawless) Date: Wed, 27 Jul 2005 22:55:57 -0500 Subject: [Omaha.pm] New to the Omaha.pm list... In-Reply-To: References: <3.0.3.32.20050727214228.006ae7d0@radiks.net> <3.0.3.32.20050727214228.006ae7d0@radiks.net> Message-ID: <3.0.3.32.20050727225557.006b9a3c@radiks.net> At 10:20 PM 7/27/05 -0500, you wrote: >> My biggest Perl claim-to-fame, was placing 2nd in one of The Perl >> Journal's Obfuscated Perl Coding contests: Oops. Actually, I was also a tech reviewer for Scott Mcmahan's Automating Windows with Perl book ( which was not a good book. ) Randal Schwartz was the other reviewer. It was nice to see my name next to his in the preface, even though the book wasn't very good. >> http://www.foo.be/docs/tpj/issues/vol2_3/tpj0203-0012.html > >That's awesome! Congrats! How long did that take you? I love Felix's >intro on that web site. Not long. I had thought about it briefly during the announcement of the prior year's contest while on a plane. Since I missed that deadline for entry, I cobbled the new entry together and sent it off. ( I think I just barely made the deadline. ) >> ( Including the first >> CGI article in print in the pages of a DDJ special edition. >Do you have a soft copy of the article? It's still owned by Dr. Dobbs Journal and appears on their DDJ compilation CD. >Can you do a presentation for our next meeting? I likely won't have time until next year ... but I'd certainly consider presenting something. > I'd love to hear an intro (demo?) of Perl 6 / Parrot, and have > someone explain to me why a simple Perl hacker like me should > care. Are you following the Perl 6 >scalliwag at all? I've only read the old Linux mag article on the subject. I'm intrigued with the parallel operations they're adding to the language. I'm not so enamored with the changes in accesses to arrays and hashes so that everything follows a notation similar to scalars. I think Parrot may open more doors for embedded Perl ... ( as in palmtop phones and such ... ) ...but I'm not sure. >> $y=151502483; >> while($x=$y%113) { print sprintf("%c",$x); $y=int($y/113); } >Did you know there's actually a simpler way to write that? -poke- It's been a while since I've plunged into the more esoteric depths of Perl, and I didn't want to put too much thought into the sig for my first post. Jim Lawless http://www.radiks.net/~jimbo From jay at jays.net Wed Jul 27 21:02:22 2005 From: jay at jays.net (Jay Hannah) Date: Wed, 27 Jul 2005 23:02:22 -0500 Subject: [Omaha.pm] New to the Omaha.pm list... In-Reply-To: <3.0.3.32.20050727225557.006b9a3c@radiks.net> References: <3.0.3.32.20050727214228.006ae7d0@radiks.net> <3.0.3.32.20050727214228.006ae7d0@radiks.net> <3.0.3.32.20050727225557.006b9a3c@radiks.net> Message-ID: On Jul 27, 2005, at 10:55 PM, Jim Lawless wrote: >>> $y=151502483; >>> while($x=$y%113) { print sprintf("%c",$x); $y=int($y/113); } >> >> Did you know there's actually a simpler way to write that? -poke- > > It's been a while since I've plunged into the more esoteric depths of > Perl, and I didn't want to put too much thought into the sig for my > first post. I was jokingly referring to 'print "japh";'. Luckily my Perl is stronger than my comedy. Grin, j From Scott.L.Miller at hp.com Thu Jul 28 06:26:28 2005 From: Scott.L.Miller at hp.com (Miller, Scott L (Omaha Networks)) Date: Thu, 28 Jul 2005 08:26:28 -0500 Subject: [Omaha.pm] New to the Omaha.pm list... Message-ID: <1F7C0C8F4BD7C54A8BC55012FEF3DF6D0302E94F@omaexc11.americas.cpqcorp.net> >>Can you do a presentation for our next meeting? >I likely won't have time until next year ... but I'd certainly >consider presenting something. Really, there's usually very little reason to need to prepare much ahead of time. Most meetings are very small. Having said that I'm intrigued enough by what I've read so far to put forth the effort needed to get a pass out of the house to meet you at the next meeting. There might be others that have thought the same... -Scott -----Original Message----- From: omaha-pm-bounces at pm.org [mailto:omaha-pm-bounces at pm.org] On Behalf Of Jim Lawless Sent: Wednesday, July 27, 2005 10:56 PM To: Perl Mongers of Omaha, Nebraska USA Subject: Re: [Omaha.pm] New to the Omaha.pm list... At 10:20 PM 7/27/05 -0500, you wrote: >> My biggest Perl claim-to-fame, was placing 2nd in one of The Perl >> Journal's Obfuscated Perl Coding contests: Oops. Actually, I was also a tech reviewer for Scott Mcmahan's Automating Windows with Perl book ( which was not a good book. ) Randal Schwartz was the other reviewer. It was nice to see my name next to his in the preface, even though the book wasn't very good. >> http://www.foo.be/docs/tpj/issues/vol2_3/tpj0203-0012.html > >That's awesome! Congrats! How long did that take you? I love Felix's >intro on that web site. Not long. I had thought about it briefly during the announcement of the prior year's contest while on a plane. Since I missed that deadline for entry, I cobbled the new entry together and sent it off. ( I think I just barely made the deadline. ) >> ( Including the first >> CGI article in print in the pages of a DDJ special edition. >Do you have a soft copy of the article? It's still owned by Dr. Dobbs Journal and appears on their DDJ compilation CD. >Can you do a presentation for our next meeting? I likely won't have time until next year ... but I'd certainly consider presenting something. > I'd love to hear an intro (demo?) of Perl 6 / Parrot, and have > someone explain to me why a simple Perl hacker like me should > care. Are you following the Perl 6 >scalliwag at all? I've only read the old Linux mag article on the subject. I'm intrigued with the parallel operations they're adding to the language. I'm not so enamored with the changes in accesses to arrays and hashes so that everything follows a notation similar to scalars. I think Parrot may open more doors for embedded Perl ... ( as in palmtop phones and such ... ) ...but I'm not sure. >> $y=151502483; >> while($x=$y%113) { print sprintf("%c",$x); $y=int($y/113); } >Did you know there's actually a simpler way to write that? -poke- It's been a while since I've plunged into the more esoteric depths of Perl, and I didn't want to put too much thought into the sig for my first post. Jim Lawless http://www.radiks.net/~jimbo _______________________________________________ Omaha-pm mailing list Omaha-pm at pm.org http://mail.pm.org/mailman/listinfo/omaha-pm From jhannah at omnihotels.com Thu Jul 28 11:23:42 2005 From: jhannah at omnihotels.com (Jay Hannah) Date: Thu, 28 Jul 2005 13:23:42 -0500 Subject: [Omaha.pm] Dumb Questions In-Reply-To: <29AB736ABCE5C745ABF9C93B02F2C27B02B98B7A@exchange2k3.omnihotels.net> Message-ID: <200507281822.j6SIMIic024062@omares-email.omnihotels.com> > Concerning scope... > > I'm confused about this: > > my($iR, $iC, $oWkS, $oWkC); > > foreach my $oWkS (@{$oBook->{Worksheet}}) { > for(my $iR = $oWkS->{MinRow} ; defined $oWkS->{MaxRow} && > $iR <= $oWkS->{MaxRow} ; $iR++) { > > ... blah ... > > > If I understand this correctly, $iR gets created prior to > entering the loop, and then gets ignored by the redefinition > in the for loop. So, does this: > > my($iR, $iC, $oWkS, $oWkC); > > foreach $oWkS (@{$oBook->{Worksheet}}) { > for($iR = $oWkS->{MinRow} ; defined $oWkS->{MaxRow} && > $iR <= $oWkS->{MaxRow} ; $iR++) { > > ... blah ... > > > do essentially the same thing, except not redefine, or is > there a reason it's defined twice? If $iR is not used anywhere after the foreach block, then you are exactly right. I think Perl "warnings" would bark at the original, warning about the (probably accidental) re-scoping of $iR. You should always use warnings*. perl -w scriptname.pl or #!/usr/bin/perl -w or use warnings; HTH, j * obligatory ubiquitous recommendation From jhannah at omnihotels.com Thu Jul 28 12:18:12 2005 From: jhannah at omnihotels.com (Jay Hannah) Date: Thu, 28 Jul 2005 14:18:12 -0500 Subject: [Omaha.pm] Thoughts? In-Reply-To: <29AB736ABCE5C745ABF9C93B02F2C27B02B987AF@exchange2k3.omnihotels.net> Message-ID: <200507281916.j6SJGlic015933@omares-email.omnihotels.com> I like idea #2, activated when you *know* you're not going to do anything exploitable. But I don't like the switch RawCGI=>1. I'd vote for the RARE use of: my $page = new View::Web::Page(Globals=>$Globals,Safe=>0); In the constructor default Safe to 1 (on/true). $Safe = 1 unless (defined $Safe); if ($Safe) { foreach my $param ($q->param()) { # Strip out all wacky characters to prevent SQL injections ...etc... $0.02, j > So, I ran into an issue using View::Web::Page and file > uploads. Jay helped point me to a function of the class that > "cleans" all the q->params() to stop sql attacks. > Unfortunately, it also strips all the backslashes out of my > filepath that IE pukes into the form-data (mozilla > conveniently removes all but the filename in formposts) > making it difficult to parse the filename. > > > > I figure there's 2 ways to address this without reducing the > attack consideration: > > > > 1. Specifically ignore 'special' params : > foreach my $param ($q->param()) { > > # Strip out all wacky characters to prevent SQL injections > # > If ($param ne 'fileupload') { > my $value = $q->param($param); > $value =~ s/[`;'"\\]//g; > $q->delete($param); > $q->param($param,$value); > if ($param =~ /^(view|edit|update|delete|insert)__/) { > my @arr = split /__/, $param; > $pagemode = shift @arr; > $pagename = shift @arr; > $pageid = join('__', @arr); > last; > } > } > } > > > > 2. instantiating it like this > > my $page = new View::Web::Page(Globals=>$Globals,RawCGI=>1); > > and adding an if around this block of code > > if (!$RawCGI) { > foreach my $param ($q->param()) { > # Strip out all wacky characters to prevent SQL injections > # > my $value = $q->param($param); > $value =~ s/[`;'"\\]//g; > $q->delete($param); > $q->param($param,$value); > if ($param =~ /^(view|edit|update|delete|insert)__/) { > my @arr = split /__/, $param; > $pagemode = shift @arr; > $pagename = shift @arr; > $pageid = join('__', @arr); > last; > } > } > } > > > Thoughts? From kthompson at omnihotels.com Fri Jul 29 13:41:48 2005 From: kthompson at omnihotels.com (Kenneth Thompson) Date: Fri, 29 Jul 2005 15:41:48 -0500 Subject: [Omaha.pm] SQL Attack exception Message-ID: <29AB736ABCE5C745ABF9C93B02F2C27B02BDB440@exchange2k3.omnihotels.net> One problem with method 2 is that it's an all or nothing proposition. If you potentially have mixed fields (something that inputs to some SQL AND a file upload), you have to break your process into 2 steps. Perhaps a compromise would be to pass in the fields you don't want checked/cleaned on instantiation? my $page = new View::Web::Page(Globals=>$Globals,SafeList=>['File1', 'File2']); in the constructor: my ($self, %args) = @_; my @SafeList = @$args{'SafeList'}; my (%Ignored, $param); foreach $param (@SafeList) {$Ignored{$param} = 1}; foreach my $param ($q->param()) { # Strip out all wacky characters to prevent SQL injections # next ($IgnoreParms{$param}); #ignored - bail now my $value = $q->param($param); #Not ignored.. clean me up Scotty $value =~ s/[`;'"\\]//g; $q->delete($param); ...etc... -----Original Message----- Message: 1 Date: Thu, 28 Jul 2005 14:18:12 -0500 From: "Jay Hannah" Subject: Re: [Omaha.pm] Thoughts? To: Message-ID: <200507281916.j6SJGlic015933 at omares-email.omnihotels.com> Content-Type: text/plain; charset="us-ascii" I like idea #2, activated when you *know* you're not going to do anything exploitable. But I don't like the switch RawCGI=>1. I'd vote for the RARE use of: my $page = new View::Web::Page(Globals=>$Globals,Safe=>0); In the constructor default Safe to 1 (on/true). $Safe = 1 unless (defined $Safe); foreach my $param ($q->param()) { if ($Safe) { # Strip out all wacky characters to prevent SQL injections ...etc... $0.02, j > So, I ran into an issue using View::Web::Page and file uploads. Jay > helped point me to a function of the class that "cleans" all the > q->params() to stop sql attacks. > Unfortunately, it also strips all the backslashes out of my filepath > that IE pukes into the form-data (mozilla conveniently removes all but > the filename in formposts) making it difficult to parse the filename. > > > > I figure there's 2 ways to address this without reducing the > attack consideration: > > > > 1. Specifically ignore 'special' params : > foreach my $param ($q->param()) { > > # Strip out all wacky characters to prevent SQL injections > # > If ($param ne 'fileupload') { > my $value = $q->param($param); > $value =~ s/[`;'"\\]//g; > $q->delete($param); > $q->param($param,$value); > if ($param =~ /^(view|edit|update|delete|insert)__/) { > my @arr = split /__/, $param; > $pagemode = shift @arr; > $pagename = shift @arr; > $pageid = join('__', @arr); > last; > } > } > } > > > > 2. instantiating it like this > > my $page = new View::Web::Page(Globals=>$Globals,RawCGI=>1); > > and adding an if around this block of code > > if (!$RawCGI) { > foreach my $param ($q->param()) { > # Strip out all wacky characters to prevent SQL injections > # > my $value = $q->param($param); > $value =~ s/[`;'"\\]//g; > $q->delete($param); > $q->param($param,$value); > if ($param =~ /^(view|edit|update|delete|insert)__/) { > my @arr = split /__/, $param; > $pagemode = shift @arr; > $pagename = shift @arr; > $pageid = join('__', @arr); > last; > } > } > } > > > Thoughts? From andy at petdance.com Fri Jul 29 13:54:41 2005 From: andy at petdance.com (Andy Lester) Date: Fri, 29 Jul 2005 15:54:41 -0500 Subject: [Omaha.pm] SQL Attack exception In-Reply-To: <29AB736ABCE5C745ABF9C93B02F2C27B02BDB440@exchange2k3.omnihotels.net> References: <29AB736ABCE5C745ABF9C93B02F2C27B02BDB440@exchange2k3.omnihotels.net> Message-ID: <20050729205440.GD15014@petdance.com> On Fri, Jul 29, 2005 at 03:41:48PM -0500, Kenneth Thompson (kthompson at omnihotels.com) wrote: > foreach my $param ($q->param()) { > # Strip out all wacky characters to prevent SQL injections > # > next ($IgnoreParms{$param}); #ignored - bail now > my $value = $q->param($param); #Not ignored.. clean me up Scotty > $value =~ s/[`;'"\\]//g; > $q->delete($param); Please don't do this. Please use bind variables. my $sth = $dbh->prepare( "select * from users where foo=? and bar=?" ); $sth->execute( $foo, $bar ); The $foo matches up to the first ?, and $bar to the second. Then it doesn't matter WHAT you pass in as $foo or $bar because it's not interpolated into the SQL, and cannot possibly be executed. -- Andy Lester => andy at petdance.com => www.petdance.com => AIM:petdance