Phoenix.pm: Parameter parser

Wed Nov 27 07:49:08 CST 2002

\_ SMTP quoth phaedrus at illogics.org on 11/26/2002 12:42 as having spake thusly:
\_
\_ I decided that CGI was entirely too large at 6695 lines, so I
\_ decided to rewrite it, or atleast the parts of it that I actually use:
\_ 
\_ my $in = $ENV{QUERY_STRING}||''; $in.='&'; read(STDIN, $in, $ENV{CONTENT_LENGTH}||0, length($in));
\_ map { $nam='word';s{^([a-z]+)=}{$nam=$1;''}e; tr/+/ /; s/%(..)/pack('c',hex($1))/ge; $$nam=$_; } split/[&;]/, $in;
\_ 
\_ This decodes GET and/or POST data.

On initial glance it seems like it handles GET and SOME POST data.  I
bet if you upload a file through that you're going to be displeased.

Similarly, any form where the encoding type is "multipart/form-data"
becase the data is diced really finely with a chainsaw.

Also what about checkbox buttons with the same name?

I like cookies that have
[] m&ms
[] chocolate chips
[] that come with milk

Seems to me that will clobber $cookie_features right fast when it
needs to be an array.

\_ I'm reading in $ENV{QUERY_STRING} or else the empty string (to make
\_ warn happy), concat'ing the '&' seperator, then reading from STDIN
\_ for whatever length $ENV{CONTENT_LENGTH} 

I sure hope browsers send that accurately.  And are never spoofed by
evil folks with $ENV{CONTENT_LENGTH} = 1e90.  :-)

\_ specifies starting at the
\_ end of what we read from the query string. This way, GET variables
\_ have priority over POST variables.  

Really?  I read that as just the opposite.  You have GET&POST as $in,
then you split on & and feed it through map.  It looks to me like
you'll get the second evaluation (from the POSTed var) to clobber the
first. 

\_ I split that on ";" or "&", and
\_ do a few string operations (all of which default to $_) on
\_ $_. First, replace a varname composed of lowercase letters with '',

I think the spec or at least common practice allows uppercase chars
too, but if you control the horizontal and vertical, that's not a
problem. 

\_ stashing that in $nam over top of the default 'word'. Then I decode
\_ what is left, using a symbol table lookup to store in the variable
\_ specified by $nam.

It seems like you could have clobbered $main:: variables this way,
which could lead to a posting on BUGTRAQ.  :-)

Me?  I 'use CGI;' it's shorter to type.  :-) It has fallen down on
some cookie parsing at one point.  Come to think of it, I suspect the
code posted would too.  ... &foo=this%00that& ... it was right
inconvenient of vignette to stuff nulls in the value.  

David

	Perl's power can be a devastating weapon in the hands of a skilled
	user, but it sometimes seems with Perl, you become skilled by
	repeatedly shooting yourself in the foot.  -- J. Friedl, MRE2