开发者

HTML vars to CGI script (uix command execution)

问答 作者:

Working in PERL, I am trying to run unix command line using variabels parsed from an html form. The following is the HTML form:

<?PHP
if ($_REQUEST['action'] == "submit") {
    $var1 = $_REQUEST['var1'];
    $var2 = $_REQUEST['var2'];
    ** working toward executing script "/usr/lib/cgi-bin/test.pl" with the above variables **
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
        <title>Test HTML Submit to CGI</title>
    </head>
    <body>
        <form name-"Submit" id="Submit" method="POST">
            <input type="hidden" name="action" va开发者_运维百科lue="submit" />
            Input Variable 1<br /><br />
            <input type="text" name="var1"></input><br /><br />
                                 Input Variable 2<br /><br />
            <input type="text" name="var2"></input><br /><br />
            <input type="submit" value="Execute script" />
                      </form>
    </body>
</html>

and I am looking for the right syntax to use these variables to submit a unix command line via a CGI script. I have a test.pl with the following:

use CGI;
$parse = new CGI;
$var1 = $parse->param('var1');
$var2 = $parse->param('var2');
if ($var1) {
    if ($var2) {
       echo "$var1" | UnixCommand --trigger +$var2                                          
    }
}
exit;

I want to execute the script from the submitted form only after some validation Iw ill write into the top of the PHP file. The unix command I am trying to execute in the CGI requires both the quotes around var1 and the + before $var2 to be literal, whichi I presume will require some sort of append within the CGI or escaping to make the text flow correctly. Are there some kind of escape variables I need to use to get the string to execute properly at the command line?

Any help you could provide would be appreciated,

Silver Tiger

#!/usr/bin/perl -T
use strictures;
use CGI qw();
use IPC::Run qw(run);
use autodie qw(:all run); # must come after importing 'run'

delete @ENV{qw(PATH IFS CDPATH ENV BASH_ENV)}; # perldoc perlsec

my $cgi = CGI->new;

# parameter restriction/untainting
my ($var1) = ($cgi->param('var1') =~ /\A ([A-Za-z]+) \z/msx);
my ($var2) = ($cgi->param('var2') =~ /\A ([A-Za-z]+) \z/msx);

if (defined $var1 && defined $var2) {
    run # will autodie if return code is wrong
        ['/usr/bin/UnixCommand', '--trigger', '+'.$var2], # command and arguments as list
        \$var1,     # in
        \*STDOUT;   # out
} else {
    die 'invalid parameters';
}

1) Why not use php everywhere?

2) Escape quotes, then use open: 

# replace all quotes/backslashes
$var2 =~ s/(['\\])/'\\$1'/g; 
# open a command (it's popen(3) really) 
open (my $pipe, "|-", "$command '$var2'")
     or die "Cannot open $command: $!";
print $pipe, $var1; # not echo

3) Sidenote: always place 

use warnings;
use strict;

at the beginning of you perl script. You'll have less chances to miss an error.

You can also add $parse->import_names("q"); and then access vars as $q::var1 etc which is IMHO simpler than calling param() all the way.

继续阅读:cgiperlphp

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9