\n";
---
Hitting it with this URL
http://razorbill/~jhannah/index.pl?x=blah
I was surprised by this output:
---
x is blah
I was surprised that parms.pl[1] does NOT receive/see param x set to blah.
As expected, though: given this form:
parms.pl will receive whatever you type into the textfield named x.
What I learned today: You can have all the parameters you want in the querystring of the 'action' of a form (method="POST"), but they will all be ignored. Pay them no heed...
Go figure! -grin-
j
[1] parms.pl source code (Dump all params to the screen (err... browser).)
#!/usr/bin/perl
use CGI;
my $q = new CGI;
print $q->header,
"
Params you submitted:
";
foreach ($q->param) {
print "$_: " . $q->param($_) . " \n";
}
From jay at jays.net Thu Jul 14 18:51:12 2005
From: jay at jays.net (Jay Hannah)
Date: Thu, 14 Jul 2005 20:51:12 -0500
Subject: [Omaha.pm] http://perl.meetup.com - Omaha is #2!
In-Reply-To: <297203B1AD107A438D2616D3A8E9B382E0FE32@DSAE2K.DSAD.AD.TAMU.EDU>
References: <297203B1AD107A438D2616D3A8E9B382E0FE32@DSAE2K.DSAD.AD.TAMU.EDU>
Message-ID: <6f45cc2179eddeee2b5bda9f4bc7639d@jays.net>
Sorry for the month delay. Been out of country...
On Jun 20, 2005, at 10:56, Fluhmann, Jeremy wrote:
> L? Sadly, I?m the only one in the Meetup group.? I was the organizer,
> but I guess after being inactive they took it away from me (even
> though I?m the only member).? But it looks as if an organizer must pay
> a monthly subscription now.? Is that correct?
That's too bad. Ya, Meetup wants money now. AFAICT 80+% of the Meetup
groups are dead now. At least around Omaha anyway. Dunno what the
actual statistic is.
Here @ Omaha Perl Mongers I talk to myself on this list occasionally
and we have small monthly meetings, usually only missing one mtg a
year. Rock starts, all. -grin-
> I?m just waiting for support at pm.org to setup my web and MailMan
> account.
I don't see a group for you, and I don't see an open ticket. Did you
read the FAQ?
http://groups.pm.org/faq.html
If you send another email to that address it should open a ticket for
you. (I'm an admin volunteer.)
Nice hearing from you! My last company (Viatel) (1) bought our a
company in College Station, and then (2) promptly went bankrupt. Doh!
(This was about 5/6 years ago.) Sorry about that... Small world. -grin-
j
From jay at jays.net Thu Jul 14 19:10:14 2005
From: jay at jays.net (Jay Hannah)
Date: Thu, 14 Jul 2005 21:10:14 -0500
Subject: [Omaha.pm] One-liner regexp to check for password strength...
In-Reply-To: <22962.24.252.28.96.1118895986.squirrel@24.252.28.96>
References: <22962.24.252.28.96.1118895986.squirrel@24.252.28.96>
Message-ID: <9da3b778266b695064916628af8daaa3@jays.net>
?? I was going through the archive and my Inbox and no one replied to
this? I thought I did? hmmm... oh well, take2? -grin-
On Jun 15, 2005, at 23:26, Daniel Linder wrote:
> I'm looking for a Perl one-liner regexp that will check a given
> password
> string to see if it meets a 'strength' requiement.
>
> The tests are:
> 1: Length >= 6 characters
> 2a: Contains number(s) (0-9)
> 2b: Contains lowercase letter(s) (a-z)
> 2c: Contains uppercase letter(s) (A-Z)
> 2d: Contains symbol character(s) (!@#$%^&*()-=_+`~\|":;<>,.?/ ... etc)
>
> A password is good if it meets rule #1 and three of the four in #2.
Wow. I don't think you'll get a one liner to do all that. Not a
readable one anyway.
> At first glance a check such as /[a-z]+[A-Z]+[0-9]+/ could be a start,
> but
> it requires that the order of the lower case characters be before any
> upper-case characters or numbers, plus it ignores the length
> requirement.
>
> I've pretty much given up on a one-liner and this is the closest I can
> come up with (ugly):
>
> #!/usr/bin/perl
>
> $PASSWD=shift;
>
> $LEN = length($PASSWD);
> printf ("LEN: $LEN\n");
>
> $NumDigits = ($PASSWD =~ tr/[0-9]*//);
> printf ("NumDigits: $NumDigits\n");
>
> $NumUpperCase = ($PASSWD =~ tr/[A-Z]*//);
> printf ("NumUpperCase: $NumUpperCase\n");
>
> $NumLowerCase = ($PASSWD =~ tr/[a-z]*//);
> printf ("NumLowerCase: $NumLowerCase\n");
>
> $NumSpecial = ($PASSWD =~
> tr/[\!\@\#\$\%\^\&\*\(\)\_\+\-\=\{\}\[\]\\\|;\':\"\,\.\/\<\>\?\~\`]*/
> /);
> printf ("NumSpecial: $NumSpecial\n");
>
> if ( ( $LEN >= 6 )
> and
> ( ($NumDigits?1:0) + ($NumUpperCase?1:0) + ($NumLowerCase?1:0) +
> ($NumSpecial?1:0) >= 3 )
> ) {
> printf ("Password \"%s\" passed.\n", $PASSWD);
> }
>
> Dan
Looks good to me! Maybe it could be cleaner? Something like this? (Not
tested.)
#!/usr/bin/perl
$_ = shift;
$points++ if (/[0-9]/);
$points++ if (/[A-Z]/);
$points++ if (/[a-z]/);
$points++ if
(/[\!\@\#\$\%\^\&\*\(\)\_\+\-\=\{\}\[\]\\\|;\':\"\,\.\/\<\>\?\~\`]/);
die "Failed" unless (length($_) >=6 and $points >=3);
print "Yay! $_ passed!\n";
Good/bad? HTH,
j
From jay at jays.net Thu Jul 14 19:12:00 2005
From: jay at jays.net (Jay Hannah)
Date: Thu, 14 Jul 2005 21:12:00 -0500
Subject: [Omaha.pm] One-liner regexp to check for password strength...
In-Reply-To: <9da3b778266b695064916628af8daaa3@jays.net>
References: <22962.24.252.28.96.1118895986.squirrel@24.252.28.96>
<9da3b778266b695064916628af8daaa3@jays.net>
Message-ID: <4fd2f4c7c4423e91bc476ed2f05f7edb@jays.net>
> The tests are:
> 1: Length >= 6 characters
> 2a: Contains number(s) (0-9)
> 2b: Contains lowercase letter(s) (a-z)
> 2c: Contains uppercase letter(s) (A-Z)
> 2d: Contains symbol character(s) (!@#$%^&*()-=_+`~\|":;<>,.?/ ... etc)
>
> A password is good if it meets rule #1 and three of the four in #2.
P.S. That's the MS Active Directory test set isn't it? I think that
this thread has a cleaner set than what I wrote months ago -- I'll have
to look at updating whatever it was I wrote way back when... -grin-
j
From jay at jays.net Thu Jul 14 19:13:55 2005
From: jay at jays.net (Jay Hannah)
Date: Thu, 14 Jul 2005 21:13:55 -0500
Subject: [Omaha.pm] quick n dirty rand()
In-Reply-To: <20050610015003.GA6939@petdance.com>
References: <200506092303.j59N3Qnn025190@omares-email.omnihotels.com>
<20050610015003.GA6939@petdance.com>
Message-ID:
On Jun 09, 2005, at 20:50, Andy Lester wrote:
> On Thu, Jun 09, 2005 at 06:04:16PM -0500, Jay Hannah
> (jhannah at omnihotels.com) wrote:
>> Before
>>
>> my $rand = int(rand(3))+1;
>> my $imagename = "sean.jpg";
>> $imagename = "jay.jpg" if ($rand == 2);
>> $imagename = "airplane.jpg" if ($rand == 3);
>>
>> After
>>
>> my $imagename = ("sean.jpg", "jay.jpg", "airplane.jpg")[(int rand
>> 3)];
>
> Better yet:
>
> my @images = qw( sean.jpg jay.jpg airplane.jpg );
> my $random_image = $images[rand @images];
Thanks! We ended up putting this "in production":
my $imagename = ("sean.jpg", "jay.jpg", "airplane.jpg")[(int rand 3)];
Grin,
j
From jay at jays.net Thu Jul 14 19:38:57 2005
From: jay at jays.net (Jay Hannah)
Date: Thu, 14 Jul 2005 21:38:57 -0500
Subject: [Omaha.pm] [pm_groups] Getting To Know You
In-Reply-To: <200507131804.43919.george@metaart.org>
References: <20050713103704.GA2293@buffy.mag-sol.com>
<200507131804.43919.george@metaart.org>
Message-ID:
> On Wednesday 13 July 2005 3:37 am, Dave Cross wrote:
>> Perl Mongers groups are (or, at least, should be) one of the most
>> public
>> parts of the Perl community. I'm interested in hearing what you do to
>>
>> * Encourage more people along to your meetings.
-snip!-
I'm threatening to make a little list of CS
professors/instructors/whatever around town (or at least department
heads) and send out a little "hey, we're here to help and we're a free
resource for students if they're interested" sort of intro email...
Maybe I should
- Print up little fliers teachers could hand out if they wanted?
- Offer to take the profs out to lunch to introduce myself?
I dunno, I just want to do whatever to help anyone who's looking for
some. I feel I owe the man who introduced me to Perl back in 1993 (I've
been making a living with it ever since) and the Perl community at
large, and want to help the next generation see what Perl can do.
There's lots of language choices out there -- seems to me Perl should
be in the list of options for young geeks getting started. If they see
it and its not for them, more power to them.
Wish me luck,
j
Omaha.pm
From jeremy at stuact.tamu.edu Fri Jul 15 06:54:05 2005
From: jeremy at stuact.tamu.edu (Fluhmann, Jeremy)
Date: Fri, 15 Jul 2005 08:54:05 -0500
Subject: [Omaha.pm] http://perl.meetup.com - Omaha is #2!
Message-ID: <297203B1AD107A438D2616D3A8E9B382E0FE4D@DSAE2K.DSAD.AD.TAMU.EDU>
Thanks for the reply. One of these days I think I'm going to leave the country, too. :)
Hooray! I now have an account on the pm.org server: http://brazosvalley.pm.org
I may have to do like you and talk to myself on the list (so far, I'm the only one on it).
Thanks again for the reply...
Jeremy
-----Original Message-----
From: omaha-pm-bounces at pm.org [mailto:omaha-pm-bounces at pm.org] On Behalf Of Jay Hannah
Sent: Thursday, July 14, 2005 8:51 PM
To: Perl Mongers of Omaha, Nebraska USA
Subject: Re: [Omaha.pm] http://perl.meetup.com - Omaha is #2!
Sorry for the month delay. Been out of country...
On Jun 20, 2005, at 10:56, Fluhmann, Jeremy wrote:
> L? Sadly, I'm the only one in the Meetup group.? I was the organizer,
> but I guess after being inactive they took it away from me (even
> though I'm the only member).? But it looks as if an organizer must pay
> a monthly subscription now.? Is that correct?
That's too bad. Ya, Meetup wants money now. AFAICT 80+% of the Meetup
groups are dead now. At least around Omaha anyway. Dunno what the
actual statistic is.
Here @ Omaha Perl Mongers I talk to myself on this list occasionally
and we have small monthly meetings, usually only missing one mtg a
year. Rock starts, all. -grin-
> I'm just waiting for support at pm.org to setup my web and MailMan
> account.
I don't see a group for you, and I don't see an open ticket. Did you
read the FAQ?
http://groups.pm.org/faq.html
If you send another email to that address it should open a ticket for
you. (I'm an admin volunteer.)
Nice hearing from you! My last company (Viatel) (1) bought our a
company in College Station, and then (2) promptly went bankrupt. Doh!
(This was about 5/6 years ago.) Sorry about that... Small world. -grin-
j
_______________________________________________
Omaha-pm mailing list
Omaha-pm at pm.org
http://mail.pm.org/mailman/listinfo/omaha-pm
From jhannah at omnihotels.com Fri Jul 15 07:46:25 2005
From: jhannah at omnihotels.com (Jay Hannah)
Date: Fri, 15 Jul 2005 09:46:25 -0500
Subject: [Omaha.pm] xargs is kinda handy!
Message-ID: <200507151445.j6FEjEic012760@omares-email.omnihotels.com>
xargs is kinda handy!
> ls *pm | xargs -n 1 perl -c
Common.pm syntax OK
RR2_1.pm syntax OK
SG5_1.pm syntax OK
SG5_2.pm syntax OK
SG5.pm syntax OK
SG6_1_1.pm syntax OK
SG6_1_2.pm syntax OK
SG6_1_3.pm syntax OK
SG6_1_4.pm syntax OK
SG6_1_5.pm syntax OK
SG6_1_6.pm syntax OK
SG6_1_7.pm syntax OK
SG6_1.pm syntax OK
SG6_2_1.pm syntax OK
SG6_2.pm syntax OK
SG6.pm syntax OK
SG.pm syntax OK
SI1.pm syntax OK
SI.pm syntax OK
Saved me from having to spend 2 minutes writing a Perl script there.
Grin,
j
From jduche at creighton.edu Fri Jul 15 08:59:13 2005
From: jduche at creighton.edu (Virtual Joe)
Date: Fri, 15 Jul 2005 10:59:13 -0500 (CDT)
Subject: [Omaha.pm] xargs is kinda handy!
In-Reply-To: <200507151445.j6FEjEic012760@omares-email.omnihotels.com>
References: <200507151445.j6FEjEic012760@omares-email.omnihotels.com>
Message-ID:
The "W" and "w" options are also useful when just trying to clean up code:
ls *pl | xargs -n 1 perl -wc
-c check syntax only (runs BEGIN and CHECK blocks)
-w enable many useful warnings (RECOMMENDED)
-W enable all warnings
Although if you have a ton o' scripts it might be useful to pipe it
into a file to look at when convenient. Keep the tips coming! They're
great.
On Fri, 15 Jul 2005, Jay Hannah wrote:
>
> xargs is kinda handy!
>
>> ls *pm | xargs -n 1 perl -c
> Common.pm syntax OK
> RR2_1.pm syntax OK
> SG5_1.pm syntax OK
> SG5_2.pm syntax OK
> SG5.pm syntax OK
> SG6_1_1.pm syntax OK
> SG6_1_2.pm syntax OK
> SG6_1_3.pm syntax OK
> SG6_1_4.pm syntax OK
> SG6_1_5.pm syntax OK
> SG6_1_6.pm syntax OK
> SG6_1_7.pm syntax OK
> SG6_1.pm syntax OK
> SG6_2_1.pm syntax OK
> SG6_2.pm syntax OK
> SG6.pm syntax OK
> SG.pm syntax OK
> SI1.pm syntax OK
> SI.pm syntax OK
>
> Saved me from having to spend 2 minutes writing a Perl script there.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Joe Ducharme jduche at creighton.edu
"Time flies like an arrow. Fruit flies like a banana."
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
From jhannah at omnihotels.com Fri Jul 15 13:00:27 2005
From: jhannah at omnihotels.com (Jay Hannah)
Date: Fri, 15 Jul 2005 15:00:27 -0500
Subject: [Omaha.pm] Template Toolkit syntax choices, whitespace
Message-ID: <200507151959.j6FJxHic012064@omares-email.omnihotels.com>
Ever played with Template Toolkit? If you're accustomed to Perl 5 syntax, TT has multiple syntaxes to choose from, all different from Perl 5 syntax.
For instance, I just changed this TT code:
[% FOREACH selection = options %]
[% IF display_type == 'code' %]
[% IF selection.code == default %]
[% ELSE %]
[% END %]
[% ELSE %]
[% IF selection.code == default OR q.param(selectname) == selection.code %]
[% ELSE %]
[% END %]
[% END %]
[% END %]
To this TT code:
[%-
selected = "";
value = selection.desc;
FOREACH selection = options;
IF display_type == 'code';
value = selection.code;
IF selection.code == default;
selected = "selected";
END;
ELSE;
IF selection.code == default OR q.param(selectname) == selection.code;
selected = "selected";
END;
END;
" \n";
selected = "";
END;
-%]
Those two snippets do almost the same thing. The primary difference is the first outputs tons of unintentional whitespace. In the second you don't have to use [% %] everywhere... (I tried fighting the whitespace with [%- -%] everywhere to no avail.)
After 2 weeks of full time TT, I think I'm starting to get pretty good at it. It's does some really amazing things if you're building large, extremely modular websites. The book says its good for other stuff too.
Looks like our total TT footprint is 15K lines of control code and 8K lines of TT templates... woof!
j
From jay at jays.net Fri Jul 15 13:09:24 2005
From: jay at jays.net (Jay Hannah)
Date: Fri, 15 Jul 2005 15:09:24 -0500
Subject: [Omaha.pm] Getting To Know You
In-Reply-To: <1F7C0C8F4BD7C54A8BC55012FEF3DF6D0302E935@omaexc11.americas.cpqcorp.net>
References: <1F7C0C8F4BD7C54A8BC55012FEF3DF6D0302E935@omaexc11.americas.cpqcorp.net>
Message-ID: <211f04d585cbd4ac541f0107ecbb0a71@jays.net>
On Jul 15, 2005, at 10:03, Miller, Scott L (Omaha Networks) wrote:
> I'd be interested on being on your list of "resources".
I see the Omaha Perl Mongers, all of us, as the resource pool.
> I'd do perl from a non-web point of view and add 'how to design,
> implement, and troubleshoot simple to enterprise level networks'.
Each of us are experienced in our own niches, so hopefully we can help
people across a wide range of subjects/needs/desires. Seems to me we
should spread the word to the Omaha CS communities a little and see if
any young'ins are interested.
Come to the Omaha Linux User Group InstallFest tomorrow! Always a good
time!
http://olug.org/
j
From jay at jays.net Fri Jul 15 13:12:22 2005
From: jay at jays.net (Jay Hannah)
Date: Fri, 15 Jul 2005 15:12:22 -0500
Subject: [Omaha.pm] http://perl.meetup.com - Omaha is #2!
In-Reply-To: <297203B1AD107A438D2616D3A8E9B382E0FE4D@DSAE2K.DSAD.AD.TAMU.EDU>
References: <297203B1AD107A438D2616D3A8E9B382E0FE4D@DSAE2K.DSAD.AD.TAMU.EDU>
Message-ID: <07dbe91585c1c1304f69adccd1a783e9@jays.net>
On Jul 15, 2005, at 8:54, Fluhmann, Jeremy wrote:
> I may have to do like you and talk to myself on the list (so far, I'm
> the only one on it).
I look at it as a healthy break from most evenings/weekends -- my wife
talking to me nonstop. -grin-
She's not on this list, is she?
Laugh,
j
From brendonsmith at seacloud9.org Fri Jul 15 14:32:11 2005
From: brendonsmith at seacloud9.org (brendonsmith@seacloud9.org)
Date: Fri, 15 Jul 2005 14:32:11 -0700
Subject: [Omaha.pm] http://perl.meetup.com - Omaha is #2!
Message-ID:
You guys are welcome to use http://i-create.org forms. I have been working on
creating a friends networking service. Check it out.
On Fri Jul 15 13:12 , Jay Hannah sent:
>On Jul 15, 2005, at 8:54, Fluhmann, Jeremy wrote:
>> I may have to do like you and talk to myself on the list (so far, I'm
>> the only one on it).
>
>I look at it as a healthy break from most evenings/weekends -- my wife
>talking to me nonstop. -grin-
>
>She's not on this list, is she?
>
>Laugh,
>
>j
>
>_______________________________________________
>Omaha-pm mailing list
>Omaha-pm at pm.org
>http://mail.pm.org/mailman/listinfo/omaha-pm
>
From dan at linder.org Fri Jul 15 15:19:38 2005
From: dan at linder.org (Daniel Linder)
Date: Fri, 15 Jul 2005 17:19:38 -0500 (CDT)
Subject: [Omaha.pm] One-liner regexp to check for password strength...
In-Reply-To: <4fd2f4c7c4423e91bc476ed2f05f7edb@jays.net>
References: <22962.24.252.28.96.1118895986.squirrel@24.252.28.96>
<9da3b778266b695064916628af8daaa3@jays.net>
<4fd2f4c7c4423e91bc476ed2f05f7edb@jays.net>
Message-ID: <21908.24.252.28.96.1121465978.squirrel@24.252.28.96>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dan Linder wrote:
>> The tests are:
>> 1: Length >= 6 characters
>> 2a: Contains number(s) (0-9)
>> 2b: Contains lowercase letter(s) (a-z)
>> 2c: Contains uppercase letter(s) (A-Z)
>> 2d: Contains symbol character(s) (!@#$%^&*()-=_+`~\|":;<>,.?/ ... etc)
>>
>> A password is good if it meets rule #1 and three of the four in #2.
Jay Hannah said:
> P.S. That's the MS Active Directory test set isn't it? I think that
> this thread has a cleaner set than what I wrote months ago -- I'll have
> to look at updating whatever it was I wrote way back when... -grin-
It's actually a made-up 'worst case' scenario for a general password
checking section I was helping a co-worker work on. The system he was
working in uses Perl on the back-end to do the check, but the regexp
enabled control box is limited to one line long. I suppose I could try to
put the code I came up with on one long line... :)
Dan
- - - - -
"Wait for that wisest of all counselors, time." -- Pericles
"I do not fear computer, I fear the lack of them." -- Isaac Asimov
GPG fingerprint:9EE8 ABAE 10D3 0B55 C536 E17A 3620 4DCA A533 19BF
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFC2DZ6NiBNyqUzGb8RAsBcAJ9ygwI+/+8CRc96FtEracjjGKdg6gCfWMLy
8Jy/cW/n2xjK8WulWa4imMo=
=N8u3
-----END PGP SIGNATURE-----
From bwiese at cotse.com Fri Jul 15 16:26:08 2005
From: bwiese at cotse.com (Brian Wiese)
Date: Fri, 15 Jul 2005 19:26:08 -0400
Subject: [Omaha.pm] Getting To Know You
In-Reply-To: <211f04d585cbd4ac541f0107ecbb0a71@jays.net>
References: <1F7C0C8F4BD7C54A8BC55012FEF3DF6D0302E935@omaexc11.americas.cpqcorp.net>
<211f04d585cbd4ac541f0107ecbb0a71@jays.net>
Message-ID: <42D84610.7010806@cotse.com>
Jay Hannah wrote:
>On Jul 15, 2005, at 10:03, Miller, Scott L (Omaha Networks) wrote:
>
>
>>I'd be interested on being on your list of "resources".
>>
>>I'd do perl from a non-web point of view and add 'how to design,
>>implement, and troubleshoot simple to enterprise level networks'.
>>
>>
I've just gotten the bug to get into Perl again for networking, and am
looking to purchase "Programming the Network in Perl" now (finally after
dreaming about it for 2 years)
http://glasnost.itcarlow.ie/~barryp/index.html -- the authors class in
Ireland I'd like to take
http://www.linuxjournal.com/article/6296 -- review
>Come to the Omaha Linux User Group InstallFest tomorrow! Always a good
>time!
>
> http://olug.org/
>
Of course I'd recommend that too. Hope everyone has fun!
I should be back in Nebraska for the September meeting hopefully.
--
bwiese[at]cotse.com | brianwiese.net | 402.297.9392
"What we do in life echoes in eternity" - Gladiator
From jay at jays.net Sat Jul 16 15:32:43 2005
From: jay at jays.net (Jay Hannah)
Date: Sat, 16 Jul 2005 17:32:43 -0500
Subject: [Omaha.pm] perldoc -l
Message-ID:
Oh cool...
$ perldoc -l CGI
/System/Library/Perl/5.8.1/CGI.pm
Now I can stop doing recursive finds to find module X...
j
From jay at jays.net Sun Jul 17 21:30:14 2005
From: jay at jays.net (Jay Hannah)
Date: Sun, 17 Jul 2005 23:30:14 -0500
Subject: [Omaha.pm] Mtg! Thr 7/21 7pm
Message-ID: <72412254be2d93cb0dd5f056a2a337d4@jays.net>
It's that time of month again!
Jay'll present misc Template Toolkit gadgets unless someone else has a
topic request or wants to present something cool they've done lately.
http://omaha.pm.org/
See you there!
j
From jhannah at omnihotels.com Mon Jul 18 12:34:39 2005
From: jhannah at omnihotels.com (Jay Hannah)
Date: Mon, 18 Jul 2005 14:34:39 -0500
Subject: [Omaha.pm] CGI.pm start_form() bug? I guess not...
In-Reply-To: <200507122106.j6CL6Mid015663@omares-email.omnihotels.com>
Message-ID: <200507181933.j6IJXRic027382@omares-email.omnihotels.com>
From: Kenn [mailto:kthompson at omnihotels.com]
> Isn't this (http://tinyurl.com/8yvs8) essentially saying you can both parse
> the query string AND read the form post vars?
Indeed. Good catch. It appears that that author and the author of CGI.pm disagree. Perhaps it is a CGI.pm bug after all? I'm too lazy to look and see what w3c.org has to say about mixing POST and querystrings...
j
From jhannah at omnihotels.com Wed Jul 20 10:06:00 2005
From: jhannah at omnihotels.com (Jay Hannah)
Date: Wed, 20 Jul 2005 12:06:00 -0500
Subject: [Omaha.pm] grep hack. better? worse? (faster?)
Message-ID: <200507201704.j6KH4Zic028411@omares-email.omnihotels.com>
Before
my $sga = $o_ra->get_sga;
if ($sga) {
my $sga = join "|",@{$sga};
$sga.="|";
next if ($sga !~ /78/ and $o_sbc2->get_disp_line1 =~ /WEB SPECIAL/);
}
After
next if (
$o_sbc2->get_disp_line1 =~ /WEB SPECIAL/
and not grep { $_ eq "78" } @$o_ra->get_sga
);
Not tested.
j
From jhannah at omnihotels.com Thu Jul 21 15:10:49 2005
From: jhannah at omnihotels.com (Jay Hannah)
Date: Thu, 21 Jul 2005 17:10:49 -0500
Subject: [Omaha.pm] best practice: podchecker
In-Reply-To:
Message-ID: <200507212209.j6LM9aic031485@omares-email.omnihotels.com>
From: Andy Lester
> > If your work has a test suite with it, you can also use the standard
> > t/pod.t. Here's one from WWW::Mechanize:
> >
> > http://search.cpan.org/src/PETDANCE/WWW-Mechanize-1.13_01/t/pod.t
Sweet... After 30m correcting 30 some classes w/ POD glitches we now have another 1,404 tests in our test suite.
> perl -e 'use Test::Harness; undef $Test::Harness::switches; runtests(@ARGV)' t/pod.t
t/pod....ok
All tests successful.
Files=1, Tests=1404, 3 wallclock secs ( 2.46 cusr + 0.19 csys = 2.65 CPU)
Nothing like padding your test suite stats. -grin-
Probably helped my big pod2html dump on our Intranet too.
j
From andy at petdance.com Thu Jul 21 15:15:39 2005
From: andy at petdance.com (Andy Lester)
Date: Thu, 21 Jul 2005 17:15:39 -0500
Subject: [Omaha.pm] best practice: podchecker
In-Reply-To: <200507212209.j6LM9aic031485@omares-email.omnihotels.com>
References:
<200507212209.j6LM9aic031485@omares-email.omnihotels.com>
Message-ID: <20050721221539.GB17650@petdance.com>
On Thu, Jul 21, 2005 at 05:10:49PM -0500, Jay Hannah (jhannah at omnihotels.com) wrote:
> > perl -e 'use Test::Harness; undef $Test::Harness::switches; runtests(@ARGV)' t/pod.t
> t/pod....ok
> All tests successful.
> Files=1, Tests=1404, 3 wallclock secs ( 2.46 cusr + 0.19 csys = 2.65 CPU)
You mean
prove t/pod.t
> Nothing like padding your test suite stats. -grin-
It's hardly padding. POD is crucial.
--
Andy Lester => andy at petdance.com => www.petdance.com => AIM:petdance
From jay at jays.net Thu Jul 21 15:39:18 2005
From: jay at jays.net (Jay Hannah)
Date: Thu, 21 Jul 2005 17:39:18 -0500
Subject: [Omaha.pm] best practice: podchecker
In-Reply-To: <20050721221539.GB17650@petdance.com>
References:
<200507212209.j6LM9aic031485@omares-email.omnihotels.com>
<20050721221539.GB17650@petdance.com>
Message-ID:
On Jul 21, 2005, at 5:15 PM, Andy Lester wrote:
> On Thu, Jul 21, 2005 at 05:10:49PM -0500, Jay Hannah
> (jhannah at omnihotels.com) wrote:
>>> perl -e 'use Test::Harness; undef $Test::Harness::switches;
>>> runtests(@ARGV)' t/pod.t
>> t/pod....ok
>> All tests successful.
>> Files=1, Tests=1404, 3 wallclock secs ( 2.46 cusr + 0.19 csys =
>> 2.65 CPU)
>
> You mean
>
> prove t/pod.t
What is that?
I don't know anything about distributing Perl code, if that's a
distribution thing. I've never prepared any Perl for CPAN or anything
like that, it all just lives in CVS here and we do checkouts.
>> ike padding your test suite stats. -grin-
>
> It's hardly padding. POD is crucial.
Sure, but only 474 of the 1404 "POD files" that Test::Pod detects
actually have any POD in them.
j
From andy at petdance.com Thu Jul 21 15:45:10 2005
From: andy at petdance.com (Andy Lester)
Date: Thu, 21 Jul 2005 17:45:10 -0500
Subject: [Omaha.pm] best practice: podchecker
In-Reply-To:
References:
<200507212209.j6LM9aic031485@omares-email.omnihotels.com>
<20050721221539.GB17650@petdance.com>
Message-ID: <20050721224510.GD17650@petdance.com>
On Thu, Jul 21, 2005 at 05:39:18PM -0500, Jay Hannah (jay at jays.net) wrote:
> > prove t/pod.t
>
> What is that?
Run "prove --help" and "prove --man", assuming you have a reasonably
recent version of Test::Harness.
Then you can look at the slides for my lightning talk "Start Using Prove"
at http://petdance.com/perl/use-prove-lt.pdf
> I don't know anything about distributing Perl code, if that's a
> distribution thing. I've never prepared any Perl for CPAN or anything
> like that, it all just lives in CVS here and we do checkouts.
Nope, prove very specifically does NOT need a makefile, and is meant
exactly for situations like yours.
xoxo,
Andy
--
Andy Lester => andy at petdance.com => www.petdance.com => AIM:petdance
From jay at jays.net Thu Jul 21 16:14:09 2005
From: jay at jays.net (Jay Hannah)
Date: Thu, 21 Jul 2005 18:14:09 -0500
Subject: [Omaha.pm] best practice: podchecker
In-Reply-To: <20050721224510.GD17650@petdance.com>
References:
<200507212209.j6LM9aic031485@omares-email.omnihotels.com>
<20050721221539.GB17650@petdance.com>
<20050721224510.GD17650@petdance.com>
Message-ID: <08632c254b596f72e598cb7f2e07ffc2@jays.net>
On Jul 21, 2005, at 5:45 PM, Andy Lester wrote:
> Then you can look at the slides for my lightning talk "Start Using
> Prove"
> at http://petdance.com/perl/use-prove-lt.pdf
!!!
Before
perl -e 'use Test::Harness; undef $Test::Harness::switches;
runtests(@ARGV)' `find ./ -name "*.t"`
After
prove -r .
Cool.
Thanks!
j
From jhannah at omnihotels.com Mon Jul 25 08:41:42 2005
From: jhannah at omnihotels.com (Jay Hannah)
Date: Mon, 25 Jul 2005 10:41:42 -0500
Subject: [Omaha.pm] Spreadsheet::WriteExcel hack
Message-ID: <200507251540.j6PFeZic025458@omares-email.omnihotels.com>
Given a text file like this:
ALERT 1003417647|2005-05-06 13:07:03| |AMELIA|PITDTN|
ALERT 1003502312|2005-05-26 15:21:27| |BG|CLTDTN|
Separate the data into N new MS-Excel spreadsheets -- one per the value of column 4 ("PITDTN", etc.).
So, you should end up with a PITDTN.xls Excel spreadsheet, a CLTDTN.xls spreadsheet, etc.
(In this case, using a reference for $row was silly and caused unnecessary debug time.)
j
#!/usr/bin/perl
use strict;
use Spreadsheet::WriteExcel;
my %xlss;
open (IN, "alerts_only");
while () {
# ALERT 1003417647|2005-05-06 13:07:03| |AMELIA|PITDTN|
# ALERT 1003502312|2005-05-26 15:21:27| |BG|CLTDTN|
chomp;
s/^ALERT //;
my @l = split /\|/;
my $prop = $l[4];
unless ($xlss{$prop}) {
my $wkb = Spreadsheet::WriteExcel->new("$prop.xls");
my $wks = $wkb->add_worksheet();
$xlss{$prop}{wkb} = $wkb;
$xlss{$prop}{wks} = $wks;
my $row = 0;
$xlss{$prop}{row} = \$row;
}
my $wkb = $xlss{$prop}{wkb};
my $wks = $xlss{$prop}{wks};
my $row = $xlss{$prop}{row};
for (0..4) {
$wks->write($$row, $_, $l[$_]);
}
$$row++;
}
close IN;
foreach my $prop (keys %xlss) {
$xlss{$prop}{wkb}->close;
}
From jay at jays.net Tue Jul 26 22:30:28 2005
From: jay at jays.net (Jay Hannah)
Date: Wed, 27 Jul 2005 00:30:28 -0500
Subject: [Omaha.pm] Fwd: [pm_admins] XML::LibXML choking on &oum;
Message-ID:
This is cool stuff, so I have to log it into our archive :)
j
From: Robert Spier
Date: July 26, 2005 11:27:21 PM CDT
To: Jay Hannah
Cc: Perl Monger Admins
Subject: Re: [pm_admins] XML::LibXML choking on &oum;
> ./perl_mongers.xml:16445: parser error : Entity 'oum' not defined
> Michel Kr&oum;ll
> Thoughts? I'm going to take out whatever the fancy &oum; character is
> supposed to be. Doesn't seem to render in my web browser anyway...
That's not valid barebones XML. XML only declares 5 internal
entities. http://www.xml.com/pub/a/98/08/xmlqna1.html#INTENT
HTML on the other hand, declares many:
http://www.w3.org/TR/REC-html40/sgml/entities.html
&oum; could be declared as an eternal entity.. but lets not go there.
I'm guessing &oum; is a typo for the HTML ö which in XML would be
ö
-R
From jimbo at radiks.net Wed Jul 27 19:42:28 2005
From: jimbo at radiks.net (Jim Lawless)
Date: Wed, 27 Jul 2005 21:42:28 -0500
Subject: [Omaha.pm] New to the Omaha.pm list...
Message-ID: <3.0.3.32.20050727214228.006ae7d0@radiks.net>
Good evening, all. I just joined and wanted to introduce myself.
Although I primarily use Java-oriented tools during the day, I've been
a Perl programmer for just over 11 years.
My biggest Perl claim-to-fame, was placing 2nd in one of The Perl
Journal's Obfuscated Perl Coding contests:
http://www.foo.be/docs/tpj/issues/vol2_3/tpj0203-0012.html
The theory of operation of my entry can be found here:
http://www.radiks.net/~jimbo/demented/obperl.htm
For those who haven't nodded off to sleep whilst reading my first
post, here's a more comprehensive list of items I've written that
have appeared in prominent tech publications. ( Including the first
CGI article in print in the pages of a DDJ special edition. Okay,
there was another CGI article in the issue, but *ours* were the
first ones in print. )
http://www.radiks.net/~jimbo/articles.htm
I look forward to chatting with you all about "old" Perl, OO Perl,
Perl 6 under Parrot, and some of the kooky CGI tricks I've done
using Perl. ( A Perl CGI in ".zip" clothing, a web-page hit-counter
that generates a GIF without using any LZW compression... )
I hope to meet some of you at upcoming meetings.
Jim Lawless
http://www.radiks.net/~jimbo
$y=151502483;
while($x=$y%113) { print sprintf("%c",$x); $y=int($y/113); }
From jay at jays.net Wed Jul 27 20:20:20 2005
From: jay at jays.net (Jay Hannah)
Date: Wed, 27 Jul 2005 22:20:20 -0500
Subject: [Omaha.pm] New to the Omaha.pm list...
In-Reply-To: <3.0.3.32.20050727214228.006ae7d0@radiks.net>
References: <3.0.3.32.20050727214228.006ae7d0@radiks.net>
Message-ID:
On Jul 27, 2005, at 9:42 PM, Jim Lawless wrote:
> Good evening, all. I just joined and wanted to introduce myself.
Nice to meet you! I hope you can make it out to some meetings -- you'd
up our average attendance by 33% or so! -grin-
(oh... you should add your bio to our wiki!)
> Although I primarily use Java-oriented tools during the day, I've been
> a Perl programmer for just over 11 years.
I claim 1993 as my part-time Perl beginnings, but I took breaks in MS
ASP and Informix 4GL.
> My biggest Perl claim-to-fame, was placing 2nd in one of The Perl
> Journal's Obfuscated Perl Coding contests:
>
> http://www.foo.be/docs/tpj/issues/vol2_3/tpj0203-0012.html
That's awesome! Congrats! How long did that take you? I love Felix's
intro on that web site.
I've added you to our Past Events of Note list. We need all the Perl
fame we can leech! -grin-
> ( Including the first
> CGI article in print in the pages of a DDJ special edition. Okay,
> there was another CGI article in the issue, but *ours* were the
> first ones in print. )
>
> http://www.radiks.net/~jimbo/articles.htm
Do you have a soft copy of the article?
> I look forward to chatting with you all about "old" Perl, OO Perl,
> Perl 6 under Parrot, and some of the kooky CGI tricks I've done
> using Perl. ( A Perl CGI in ".zip" clothing, a web-page hit-counter
> that generates a GIF without using any LZW compression... )
I don't like to call it "old Perl" when my boss asks. Wouldn't want him
to think we've invested heavily in poor language selections. -grin- Of
course we've got more OO Perl than you can shake a stick at nowadays,
so maybe we'll slide.
Can you do a presentation for our next meeting? I'd love to hear an
intro (demo?) of Perl 6 / Parrot, and have someone explain to me why a
simple Perl hacker like me should care. Are you following the Perl 6
scalliwag at all? I haven't kept up this year.
> I hope to meet some of you at upcoming meetings.
Ditto! I'm buying @ SIG-BEER. I've heard its good to bribe newcomers.
-grin-
> $y=151502483;
> while($x=$y%113) { print sprintf("%c",$x); $y=int($y/113); }
Did you know there's actually a simpler way to write that? -poke-
Again, Welcome!
j
From jimbo at radiks.net Wed Jul 27 20:55:57 2005
From: jimbo at radiks.net (Jim Lawless)
Date: Wed, 27 Jul 2005 22:55:57 -0500
Subject: [Omaha.pm] New to the Omaha.pm list...
In-Reply-To:
References: <3.0.3.32.20050727214228.006ae7d0@radiks.net>
<3.0.3.32.20050727214228.006ae7d0@radiks.net>
Message-ID: <3.0.3.32.20050727225557.006b9a3c@radiks.net>
At 10:20 PM 7/27/05 -0500, you wrote:
>> My biggest Perl claim-to-fame, was placing 2nd in one of The Perl
>> Journal's Obfuscated Perl Coding contests:
Oops. Actually, I was also a tech reviewer for Scott Mcmahan's
Automating Windows with Perl book ( which was not a good book. )
Randal Schwartz was the other reviewer. It was nice to see my
name next to his in the preface, even though the book wasn't
very good.
>> http://www.foo.be/docs/tpj/issues/vol2_3/tpj0203-0012.html
>
>That's awesome! Congrats! How long did that take you? I love Felix's
>intro on that web site.
Not long. I had thought about it briefly during the announcement of
the prior year's contest while on a plane. Since I missed that deadline
for entry, I cobbled the new entry together and sent it off. ( I think I
just barely made the deadline. )
>> ( Including the first
>> CGI article in print in the pages of a DDJ special edition.
>Do you have a soft copy of the article?
It's still owned by Dr. Dobbs Journal and appears on their
DDJ compilation CD.
>Can you do a presentation for our next meeting?
I likely won't have time until next year ... but I'd certainly
consider presenting something.
> I'd love to hear an intro (demo?) of Perl 6 / Parrot, and have
> someone explain to me why a simple Perl hacker like me should
> care. Are you following the Perl 6
>scalliwag at all?
I've only read the old Linux mag article on the subject. I'm intrigued
with the parallel operations they're adding to the language. I'm not
so enamored with the changes in accesses to arrays and hashes
so that everything follows a notation similar to scalars. I think Parrot
may open more doors for embedded Perl ... ( as in palmtop phones
and such ... ) ...but I'm not sure.
>> $y=151502483;
>> while($x=$y%113) { print sprintf("%c",$x); $y=int($y/113); }
>Did you know there's actually a simpler way to write that? -poke-
It's been a while since I've plunged into the more esoteric depths of
Perl, and I didn't want to put too much thought into the sig for my
first post.
Jim Lawless
http://www.radiks.net/~jimbo
From jay at jays.net Wed Jul 27 21:02:22 2005
From: jay at jays.net (Jay Hannah)
Date: Wed, 27 Jul 2005 23:02:22 -0500
Subject: [Omaha.pm] New to the Omaha.pm list...
In-Reply-To: <3.0.3.32.20050727225557.006b9a3c@radiks.net>
References: <3.0.3.32.20050727214228.006ae7d0@radiks.net>
<3.0.3.32.20050727214228.006ae7d0@radiks.net>
<3.0.3.32.20050727225557.006b9a3c@radiks.net>
Message-ID:
On Jul 27, 2005, at 10:55 PM, Jim Lawless wrote:
>>> $y=151502483;
>>> while($x=$y%113) { print sprintf("%c",$x); $y=int($y/113); }
>>
>> Did you know there's actually a simpler way to write that? -poke-
>
> It's been a while since I've plunged into the more esoteric depths of
> Perl, and I didn't want to put too much thought into the sig for my
> first post.
I was jokingly referring to 'print "japh";'. Luckily my Perl is
stronger than my comedy.
Grin,
j
From Scott.L.Miller at hp.com Thu Jul 28 06:26:28 2005
From: Scott.L.Miller at hp.com (Miller, Scott L (Omaha Networks))
Date: Thu, 28 Jul 2005 08:26:28 -0500
Subject: [Omaha.pm] New to the Omaha.pm list...
Message-ID: <1F7C0C8F4BD7C54A8BC55012FEF3DF6D0302E94F@omaexc11.americas.cpqcorp.net>
>>Can you do a presentation for our next meeting?
>I likely won't have time until next year ... but I'd certainly
>consider presenting something.
Really, there's usually very little reason to need to prepare much ahead
of time. Most meetings are very small.
Having said that I'm intrigued enough by what I've read so far to put
forth the effort needed to get a pass out of the house to meet you at
the next meeting. There might be others that have thought the
same...
-Scott
-----Original Message-----
From: omaha-pm-bounces at pm.org [mailto:omaha-pm-bounces at pm.org] On Behalf
Of Jim Lawless
Sent: Wednesday, July 27, 2005 10:56 PM
To: Perl Mongers of Omaha, Nebraska USA
Subject: Re: [Omaha.pm] New to the Omaha.pm list...
At 10:20 PM 7/27/05 -0500, you wrote:
>> My biggest Perl claim-to-fame, was placing 2nd in one of The Perl
>> Journal's Obfuscated Perl Coding contests:
Oops. Actually, I was also a tech reviewer for Scott Mcmahan's
Automating Windows with Perl book ( which was not a good book. )
Randal Schwartz was the other reviewer. It was nice to see my
name next to his in the preface, even though the book wasn't
very good.
>> http://www.foo.be/docs/tpj/issues/vol2_3/tpj0203-0012.html
>
>That's awesome! Congrats! How long did that take you? I love Felix's
>intro on that web site.
Not long. I had thought about it briefly during the announcement of
the prior year's contest while on a plane. Since I missed that deadline
for entry, I cobbled the new entry together and sent it off. ( I think I
just barely made the deadline. )
>> ( Including the first
>> CGI article in print in the pages of a DDJ special edition.
>Do you have a soft copy of the article?
It's still owned by Dr. Dobbs Journal and appears on their
DDJ compilation CD.
>Can you do a presentation for our next meeting?
I likely won't have time until next year ... but I'd certainly
consider presenting something.
> I'd love to hear an intro (demo?) of Perl 6 / Parrot, and have
> someone explain to me why a simple Perl hacker like me should
> care. Are you following the Perl 6
>scalliwag at all?
I've only read the old Linux mag article on the subject. I'm intrigued
with the parallel operations they're adding to the language. I'm not
so enamored with the changes in accesses to arrays and hashes
so that everything follows a notation similar to scalars. I think
Parrot
may open more doors for embedded Perl ... ( as in palmtop phones
and such ... ) ...but I'm not sure.
>> $y=151502483;
>> while($x=$y%113) { print sprintf("%c",$x); $y=int($y/113); }
>Did you know there's actually a simpler way to write that? -poke-
It's been a while since I've plunged into the more esoteric depths of
Perl, and I didn't want to put too much thought into the sig for my
first post.
Jim Lawless
http://www.radiks.net/~jimbo
_______________________________________________
Omaha-pm mailing list
Omaha-pm at pm.org
http://mail.pm.org/mailman/listinfo/omaha-pm
From jhannah at omnihotels.com Thu Jul 28 11:23:42 2005
From: jhannah at omnihotels.com (Jay Hannah)
Date: Thu, 28 Jul 2005 13:23:42 -0500
Subject: [Omaha.pm] Dumb Questions
In-Reply-To: <29AB736ABCE5C745ABF9C93B02F2C27B02B98B7A@exchange2k3.omnihotels.net>
Message-ID: <200507281822.j6SIMIic024062@omares-email.omnihotels.com>
> Concerning scope...
>
> I'm confused about this:
>
> my($iR, $iC, $oWkS, $oWkC);
>
> foreach my $oWkS (@{$oBook->{Worksheet}}) {
> for(my $iR = $oWkS->{MinRow} ; defined $oWkS->{MaxRow} &&
> $iR <= $oWkS->{MaxRow} ; $iR++) {
>
> ... blah ...
>
>
> If I understand this correctly, $iR gets created prior to
> entering the loop, and then gets ignored by the redefinition
> in the for loop. So, does this:
>
> my($iR, $iC, $oWkS, $oWkC);
>
> foreach $oWkS (@{$oBook->{Worksheet}}) {
> for($iR = $oWkS->{MinRow} ; defined $oWkS->{MaxRow} &&
> $iR <= $oWkS->{MaxRow} ; $iR++) {
>
> ... blah ...
>
>
> do essentially the same thing, except not redefine, or is
> there a reason it's defined twice?
If $iR is not used anywhere after the foreach block, then you are exactly right.
I think Perl "warnings" would bark at the original, warning about the (probably accidental) re-scoping of $iR.
You should always use warnings*.
perl -w scriptname.pl
or
#!/usr/bin/perl -w
or
use warnings;
HTH,
j
* obligatory ubiquitous recommendation
From jhannah at omnihotels.com Thu Jul 28 12:18:12 2005
From: jhannah at omnihotels.com (Jay Hannah)
Date: Thu, 28 Jul 2005 14:18:12 -0500
Subject: [Omaha.pm] Thoughts?
In-Reply-To: <29AB736ABCE5C745ABF9C93B02F2C27B02B987AF@exchange2k3.omnihotels.net>
Message-ID: <200507281916.j6SJGlic015933@omares-email.omnihotels.com>
I like idea #2, activated when you *know* you're not going to do anything exploitable.
But I don't like the switch RawCGI=>1.
I'd vote for the RARE use of:
my $page = new View::Web::Page(Globals=>$Globals,Safe=>0);
In the constructor default Safe to 1 (on/true).
$Safe = 1 unless (defined $Safe);
if ($Safe) {
foreach my $param ($q->param()) {
# Strip out all wacky characters to prevent SQL injections
...etc...
$0.02,
j
> So, I ran into an issue using View::Web::Page and file
> uploads. Jay helped point me to a function of the class that
> "cleans" all the q->params() to stop sql attacks.
> Unfortunately, it also strips all the backslashes out of my
> filepath that IE pukes into the form-data (mozilla
> conveniently removes all but the filename in formposts)
> making it difficult to parse the filename.
>
>
>
> I figure there's 2 ways to address this without reducing the
> attack consideration:
>
>
>
> 1. Specifically ignore 'special' params :
> foreach my $param ($q->param()) {
>
> # Strip out all wacky characters to prevent SQL injections
> #
> If ($param ne 'fileupload') {
> my $value = $q->param($param);
> $value =~ s/[`;'"\\]//g;
> $q->delete($param);
> $q->param($param,$value);
> if ($param =~ /^(view|edit|update|delete|insert)__/) {
> my @arr = split /__/, $param;
> $pagemode = shift @arr;
> $pagename = shift @arr;
> $pageid = join('__', @arr);
> last;
> }
> }
> }
>
>
>
> 2. instantiating it like this
>
> my $page = new View::Web::Page(Globals=>$Globals,RawCGI=>1);
>
> and adding an if around this block of code
>
> if (!$RawCGI) {
> foreach my $param ($q->param()) {
> # Strip out all wacky characters to prevent SQL injections
> #
> my $value = $q->param($param);
> $value =~ s/[`;'"\\]//g;
> $q->delete($param);
> $q->param($param,$value);
> if ($param =~ /^(view|edit|update|delete|insert)__/) {
> my @arr = split /__/, $param;
> $pagemode = shift @arr;
> $pagename = shift @arr;
> $pageid = join('__', @arr);
> last;
> }
> }
> }
>
>
> Thoughts?
From kthompson at omnihotels.com Fri Jul 29 13:41:48 2005
From: kthompson at omnihotels.com (Kenneth Thompson)
Date: Fri, 29 Jul 2005 15:41:48 -0500
Subject: [Omaha.pm] SQL Attack exception
Message-ID: <29AB736ABCE5C745ABF9C93B02F2C27B02BDB440@exchange2k3.omnihotels.net>
One problem with method 2 is that it's an all or nothing proposition. If
you potentially have mixed fields (something that inputs to some SQL AND
a file upload), you have to break your process into 2 steps.
Perhaps a compromise would be to pass in the fields you don't want
checked/cleaned on instantiation?
my $page = new View::Web::Page(Globals=>$Globals,SafeList=>['File1',
'File2']);
in the constructor:
my ($self, %args) = @_;
my @SafeList = @$args{'SafeList'};
my (%Ignored, $param);
foreach $param (@SafeList) {$Ignored{$param} = 1};
foreach my $param ($q->param()) {
# Strip out all wacky characters to prevent SQL injections
#
next ($IgnoreParms{$param}); #ignored - bail now
my $value = $q->param($param); #Not ignored.. clean me up Scotty
$value =~ s/[`;'"\\]//g;
$q->delete($param);
...etc...
-----Original Message-----
Message: 1
Date: Thu, 28 Jul 2005 14:18:12 -0500
From: "Jay Hannah"
Subject: Re: [Omaha.pm] Thoughts?
To:
Message-ID: <200507281916.j6SJGlic015933 at omares-email.omnihotels.com>
Content-Type: text/plain; charset="us-ascii"
I like idea #2, activated when you *know* you're not going to do
anything exploitable.
But I don't like the switch RawCGI=>1.
I'd vote for the RARE use of:
my $page = new View::Web::Page(Globals=>$Globals,Safe=>0);
In the constructor default Safe to 1 (on/true).
$Safe = 1 unless (defined $Safe);
foreach my $param ($q->param()) {
if ($Safe) { # Strip out all wacky characters to prevent SQL
injections
...etc...
$0.02,
j
> So, I ran into an issue using View::Web::Page and file uploads. Jay
> helped point me to a function of the class that "cleans" all the
> q->params() to stop sql attacks.
> Unfortunately, it also strips all the backslashes out of my filepath
> that IE pukes into the form-data (mozilla conveniently removes all but
> the filename in formposts) making it difficult to parse the filename.
>
>
>
> I figure there's 2 ways to address this without reducing the
> attack consideration:
>
>
>
> 1. Specifically ignore 'special' params :
> foreach my $param ($q->param()) {
>
> # Strip out all wacky characters to prevent SQL injections
> #
> If ($param ne 'fileupload') {
> my $value = $q->param($param);
> $value =~ s/[`;'"\\]//g;
> $q->delete($param);
> $q->param($param,$value);
> if ($param =~ /^(view|edit|update|delete|insert)__/) {
> my @arr = split /__/, $param;
> $pagemode = shift @arr;
> $pagename = shift @arr;
> $pageid = join('__', @arr);
> last;
> }
> }
> }
>
>
>
> 2. instantiating it like this
>
> my $page = new View::Web::Page(Globals=>$Globals,RawCGI=>1);
>
> and adding an if around this block of code
>
> if (!$RawCGI) {
> foreach my $param ($q->param()) {
> # Strip out all wacky characters to prevent SQL injections
> #
> my $value = $q->param($param);
> $value =~ s/[`;'"\\]//g;
> $q->delete($param);
> $q->param($param,$value);
> if ($param =~ /^(view|edit|update|delete|insert)__/) {
> my @arr = split /__/, $param;
> $pagemode = shift @arr;
> $pagename = shift @arr;
> $pageid = join('__', @arr);
> last;
> }
> }
> }
>
>
> Thoughts?
From andy at petdance.com Fri Jul 29 13:54:41 2005
From: andy at petdance.com (Andy Lester)
Date: Fri, 29 Jul 2005 15:54:41 -0500
Subject: [Omaha.pm] SQL Attack exception
In-Reply-To: <29AB736ABCE5C745ABF9C93B02F2C27B02BDB440@exchange2k3.omnihotels.net>
References: <29AB736ABCE5C745ABF9C93B02F2C27B02BDB440@exchange2k3.omnihotels.net>
Message-ID: <20050729205440.GD15014@petdance.com>
On Fri, Jul 29, 2005 at 03:41:48PM -0500, Kenneth Thompson (kthompson at omnihotels.com) wrote:
> foreach my $param ($q->param()) {
> # Strip out all wacky characters to prevent SQL injections
> #
> next ($IgnoreParms{$param}); #ignored - bail now
> my $value = $q->param($param); #Not ignored.. clean me up Scotty
> $value =~ s/[`;'"\\]//g;
> $q->delete($param);
Please don't do this. Please use bind variables.
my $sth = $dbh->prepare( "select * from users where foo=? and bar=?" );
$sth->execute( $foo, $bar );
The $foo matches up to the first ?, and $bar to the second. Then it
doesn't matter WHAT you pass in as $foo or $bar because it's not
interpolated into the SQL, and cannot possibly be executed.
--
Andy Lester => andy at petdance.com => www.petdance.com => AIM:petdance