[ic] help pulling info from URL

Barry Treahy, Jr. interchange-users@icdevgroup.org
Fri Nov 1 14:39:41 2002


Stefan Hornburg wrote:

>>>>Well, one of perl's mottos is that there's more than one way to do it...
>>>>here's one elementary way:
>>>>
>>>>$last_url = '[data session last_url]';
>>>>@parts = split("/", $last_url);
>>>># position 0 should be nothing
>>>># position 1 should be "category"
>>>># position 2 should be "posters"
>>>># position 3 should be "p1.html"
>>>>$pstn2 = $parts[2];
>>>>$pstn3 = $parts[3];
>>>>        
>>>>
>>>And here a shorter way to do it (also untested):
>>>
>>>($pstn2, $pstn3) = (split("/", $Session->{last_url})[2,3];
>>>
>>>Ciao
>>>       Racke
>>>      
>>>
>>I set this up:
>>
>>[perl] ($pstn2, $pstn3) = (split("/", $Session->{last_url})[2,3]; [/perl]
>>[scratch pstn2], [scratch pstn3]
>>
>>but it returns nothing.  What am I screwing up?
>>    
>>
>
>First, one paren is missing.
>
>Second, no program in the world can read your thoughts. Why should the Perl variables
>automagically appear in the scratch namespace ? Try:
>
>[perl] ($Scratch->{pstn2}, $Scratch->{$pstn3}) = (split("/", $Session->{last_url}))[2,3]; [/perl]
>
>  
>
Shouldn't some effort be made to 'sanitize' the URL content?  With these 
examples, could not a hacker embed ITL statements, or for that matter 
even Perl, into one of those positional parameters that would then be 
evaluated into the Scratch variables?

Barry

-- 

Barry Treahy, Jr  *  Midwest Microwave  *  Vice President & CIO 

E-mail: Treahy@mmaz.com * Phone: 480/314-1320 * FAX: 480/661-7028