You take the source, modify the value of hidden fields, and then hit
enter when your browser points to c:/local/path/file.html

For sure the script can check the referring adress to see if it's on the
server, but as Jenda stated a while ago, a "good" hacker will be able to
telnet your webserver and put whatever he want's in the header to fake
the reffering url.

I also use the print<<END_LABEL; method, you can ident, space out
everything, etc. Plus I really like style attributes and dhtml so CGI is
not really a good option for me.

As for accessing the param() There are some good way, again Jenda made
the most wonderful module for people like me that don't really like
modules:) It takes the post/get data and parse it, without bringing the
tons of functions that CGI brings when you don't need them. It's a small
module with everything neded for decoding urls.

http://Jenda.Krynicky.cz/#CGI::Deurl

use CGI::Deurl qw(export IN);

then all the transmitted data is in the IN package.. no more
param{'name'} long syntax.. simply $IN::name gives you the variable!

Note you can also access the param value in a package with CGI... so you
don't have to install Jenda's module.

Etienne


[EMAIL PROTECTED] wrote:
> 
> Etienne,
> 
>    How can users change hidden fields on a form using POST (not GET)??
> 
>    I also find the CGI.pm syntax for writing HTML annoying. I think it was
> you in a recent post who noted Perl's "here document" technique
> (print<<END_LABEL;), which to me is a cleaner way to do it. I mentioned
> CGI.pm mainly for it's param() method, to answer Sharat's question about
> accessing the form variables. Otherwise s/he (sorry, I don't know!) would
> have to do a lot more work to read and decode them from STDIN (if using
> post) or $ENV{QUERY_STRING} (if using get).
> 
>    I completely agree with your recommendation for auto writing the hidden
> field values. (Untested and unchecked by me, too!)
> 
> - John
> 
> > -----Original Message-----
> > From: Etienne Marcotte [mailto:[EMAIL PROTECTED]]
> > Sent: Wednesday, December 12, 2001 10:12 AM
> > To: [EMAIL PROTECTED]
> > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> > Subject: Re: Passing arrays across forms
> >
> >
> > Passing them in hidden fields lets user change them at will.
> > It's ok if you are doing all your validity checks at the end of all
> > forms, but if you're doing them after each section you need to keep
> > those variables unaccessible to the user, or re-check them at the end.
> >
> > You do a imple validity check after each section, asking users to
> > correct the wrongly formatted fields, and at the total end
> > you re-check
> > them and give a message asking the user why he tryed to hack
> > the hidden
> > fields values:)
> >
> > CGI.pm has sticky form elements, but personally I just hate
> > to print my
> > html using CGI.pm (and when using it you need to specify with
> > 0 or 1 if
> > you want previous data keps in form fields)
> >
> > as of easy way, you can auto_write your hidden fields.. foreach (keys
> > %param) {print "<input type=hidden name=$_ value=param{$_}>\n";} or
> > something like this (untested, unchecked)
> >
> > Etienne
> >
> > [EMAIL PROTECTED] wrote:
> > >
> > > Sharat,
> > >
> > >    I tend to prefer hidden form variables to pass data, as
> > cookies could be
> > > unsupported or turned off by the client browser. The CGI.pm
> > module provides
> > > an easy way to access form variables from your Perl script.
> > The O'Reilly
> > > book _CGI Programming with Perl_ has several chapters
> > dedicated to doing
> > > this sort of thing.
> > >
> > > - John
> > >
> > > > -----Original Message-----
> > > > From: Sharat Hegde [mailto:[EMAIL PROTECTED]]
> > > > Sent: Tuesday, December 11, 2001 11:38 PM
> > > > To: [EMAIL PROTECTED]
> > > > Subject: Passing arrays across forms
> > > >
> > > >
> > > > Hello,
> > > >
> > > > I have a wizard kind of form processing - basically 5 forms
> > > > with user inputs
> > > > in all the forms. The data is captured and stored at the end
> > > > of the form
> > > > processing.
> > > >
> > > > The data collected from the forms is stored internally in the
> > > > form of arrays
> > > > - there are about 4 arrays, one of them a two-dimensional
> > > > array. The total
> > > > amount of data in the worst case may be upto 1KB.
> > > >
> > > > 1. What is the best way to pass this data across forms? I
> > > > know that hidden
> > > > form variables is possible. I have not yet worked with
> > > > cookies, but I hope
> > > > to figure it out if required.
> > > >
> > > > 2. Are there are any modules available which convert array
> > > > data into form
> > > > variables and then allow you to convert form variables into
> > > > arrays, without
> > > > having to write all the parsing code yourself.
> > > >
> > > > Regards,
> > > > Sharat
> > > This message may contain information which is private, privileged or
> > > confidential and is intended solely for the use of the
> > individual or entity
> > > named in the message. If you are not the intended recipient
> > of this message,
> > > please notify the sender thereof and destroy / delete the
> > message. Neither
> > > the sender nor Sappi Limited (including its subsidiaries
> > and associated
> > > companies) shall incur any liability resulting directly or
> > indirectly from
> > > accessing any of the attached files which may contain a
> > virus or the like.
> > >
> > > --
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> > --
> > Etienne Marcotte
> > Specifications Management - Quality Control
> > Imperial Tobacco Ltd. - Montreal (Qc) Canada
> > 514.932.6161 x.4001
> >
> This message may contain information which is private, privileged or
> confidential and is intended solely for the use of the individual or entity
> named in the message. If you are not the intended recipient of this message,
> please notify the sender thereof and destroy / delete the message. Neither
> the sender nor Sappi Limited (including its subsidiaries and associated
> companies) shall incur any liability resulting directly or indirectly from
> accessing any of the attached files which may contain a virus or the like.
> 
> --
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]

-- 
Etienne Marcotte
Specifications Management - Quality Control
Imperial Tobacco Ltd. - Montreal (Qc) Canada
514.932.6161 x.4001

-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to