Lunarpages Web Hosting Forum

Author Topic: Perl scripts  (Read 8268 times)

Offline d0gyears

  • Space Explorer
  • ***
  • Posts: 9
Perl scripts
« on: April 11, 2009, 07:23:49 PM »
Hi people, I've written two Perl scripts to handle the ordering process of software on my website. The first script just takes the details entered into a HTML form and sends the information to the second script to confirm the order.

I'm very unfamiliar with Perl. I would like to make sure there aren't any security flaws in my Perl scripts. The people at the Lunarpages helpdesk aren't allowed to help (I have no idea why?), so I was hoping that someone here that is experienced with Perl would kindly give my scripts a quick look just to point out any obvious errors I have made. I would greatly appreciate this, as I don't really have time to learn all of the ins and outs of Perl right now. Anyone willing to lend a helping hand, please PM me.

Thank you.

Offline d0gyears

  • Space Explorer
  • ***
  • Posts: 9
Re: Perl scripts
« Reply #1 on: April 21, 2009, 08:26:45 PM »
Well, I still have gotten no help from anyone, and I could really use it. I mainly just need to know that my Perl scripts are not leaving my website open to attack.

Maybe if I just post them here, someone can take just a few minutes to check them out for anything obvious. I would really appreciate it.
It is mostly just html code which can be ignored; I just need the Perl coding looked at.
« Last Edit: April 21, 2009, 08:28:51 PM by d0gyears »

Offline d0gyears

  • Space Explorer
  • ***
  • Posts: 9
Re: Perl scripts
« Reply #2 on: April 21, 2009, 08:27:03 PM »
confirm.pl:
----------
#!/usr/bin/perl -tW

use CGI qw(:standard);

$missing = 0;
$total = 0;
$firstname;
$lastname;
$streetaddress1;
$streetaddress2;
$city;
$state;
$zipcode;
$email;
$app1;
$app1quantity;
$app2;
$app2quantity;
$shippingmethod;
$paymentmethod;
$comments;

print "Content-type: text/html\n\n";

my %form;
foreach my $p (param()) {
  if ($p ne "Street Address 2" and $p ne "EMail" and $p ne "Comments" and $p ne "App 1 Quantity" and $p ne "App 2 Quantity" and param($p) eq '') {
    $missing = "1";
  }

  if ($p eq "First Name") { $firstname = param($p); };
  if ($p eq "Last Name") { $lastname = param($p) };
  if ($p eq "Street Address 1") { $streetaddress1 = param($p) };
  if ($p eq "Street Address 2") { $streetaddress2 = param($p) };
  if ($p eq "City") { $city = param($p) };
  if ($p eq "State") { $state = param($p) };
  if ($p eq "Zip Code") { $zipcode = param($p) };
  if ($p eq "EMail") { $email = param($p) };
  if ($p eq "App1") { $App1 = 1 };
  if ($p eq "App1 Quantity") {
    if ($App1 == 1) {
      $App1quantity = param($p)
    }
  };
  if ($p eq "App2") { $App2 = 1 };
  if ($p eq "App2 Quantity") {
    if ($App2 == 1) {
      $App2quantity = param($p)
    }
  };
  if ($p eq "Shipping Method") { $shippingmethod = param($p) };
  if ($p eq "Payment Method") { $paymentmethod = param($p) };
  if ($p eq "Comments") { $comments = param($p) };
}

if ($app1 eq '' and $app2 eq '') {
  $missing = "1";
}

if ($app1quantity eq '' and $app2quantity eq '') {
  $missing = "1";
}

if ($app1 == 1 and $app1quantity eq '') {
  $missing = "1";
}

if ($app2 == 1 and $app2quantity eq '') {
  $missing = "1";
}

if ($app2 == 1 and $app2quantity < 5) {
  $missing = "1";
}

print <<TO_DETAILS;
<HTML>
  <HEAD>
    <TITLE>test</TITLE>
    <META NAME="description" CONTENT="purchase">
  </HEAD>
  <BODY bgcolor="#FFFFFF">
    <FONT FACE=\"Tahoma, Arial\" size=\"2\"><CENTER>This is a test</CENTER></FONT>";
TO_DETAILS

if ($missing == 1) {
  print "<FONT FACE=\"Tahoma, Arial\" size=\"2\"><CENTER>Some needed fields are blank.</CENTER></FONT>";
} else {
  print "<FONT FACE=\"Tahoma, Arial\" size=\"2\"><CENTER>Confirm details and then complete order.</CENTER></FONT>";
}

print <<TO_FORM;
          <p align="center"><img border="0" src="break.jpg" width="431" height="3"></p>
          <p align="center"><img border="0" src="purchase.jpg" width="180" height="146"></P>
TO_FORM

if ($missing == 1) {
  print <<TO_END1;
          <form method="POST" action="/cgi-bin/confirm.pl">
            <div align="center">
            <center>
            <table border="0" width="75%">
              <tr>
                <td width="50%">
                  <FONT FACE="Tahoma, Arial" size="2"><B>First Name:</B></FONT>
                </td>
                <td width="50%">
                  <input type="text" name="First Name" size="15" value="$firstname">
                </td>
              </tr>
              <tr>
                <td width="50%">
                  <FONT FACE="Tahoma, Arial" size="2"><B>Last Name:</B></FONT>
                </td>
                <td width="50%">
                  <input type="text" name="Last Name" size="15" value="$lastname">
                </td>
              </tr>
              <tr>
                <td width="50%">
                  <FONT FACE="Tahoma, Arial" size="2"><B>Street Address 1:</B></FONT>
                </td>
                <td width="50%">
                  <input type="text" name="Street Address 1" size="15" value="$streetaddress1">
                </td>
              </tr>
              <tr>
                <td width="50%">
                  <FONT FACE="Tahoma, Arial" size="2">Street Address 2 (optional):</FONT>
                </td>
                <td width="50%">
                  <input type="text" name="Street Address 2" size="15" value="$streetaddress2">
                </td>
              </tr>
              <tr>
                <td width="50%">
                  <FONT FACE="Tahoma, Arial" size="2"><B>City:</B></FONT>
                </td>
                <td width="50%">
                  <input type="text" name="City" size="15" value="$city">
                </td>
              </tr>
              <tr>
                <td width="50%">
                  <FONT FACE="Tahoma, Arial" size="2"><B>State/Province/Region:</B></FONT>
                </td>
                <td width="50%">
                  <input type="text" name="State" size="15" value="$state">
                </td>
              </tr>
              <tr>
                <td width="50%">
                  <FONT FACE="Tahoma, Arial" size="2"><B>Zip/Postal Code:</B></FONT>
                </td>
                <td width="50%">
                  <input type="text" name="Zip Code" size="15" value="$zipcode">
                </td>
              </tr>
              <tr>
                <td width="50%">
                  <FONT FACE="Tahoma, Arial" size="2">E-Mail Address (optional):</FONT>
                </td>
                <td width="50%">
                  <input type="text" name="EMail" size="15" value="$email">
                </td>
              </tr>
            </table>
            </center>
            </div>
            <BR>
            <div align="center">
              <center>
              <table border="0" width="75%">
                <tr>
                  <td width="50%">
                    <FONT FACE="Tahoma, Arial" size="2"><B><U>Product(s):</U></B></FONT>
                  </td>
                </tr>
                <tr>
                  <td width="50%">
TO_END1

if ($app1 == 1) {
  print "<input type=\"checkbox\" name=\"app1\" value=\"ON\" checked><FONT FACE=\"Tahoma, Arial\" size=\"2\"><B>app 1</B></FONT>";
} else {
  print "<input type=\"checkbox\" name=\"app1\" value=\"ON\"><FONT FACE=\"Tahoma, Arial\" size=\"2\"><B>app 1</B></FONT>";
}

print "</td>";
print "<td width=\"50%\">";
print "  <FONT FACE=\"Tahoma, Arial\" size=\"2\"><B>Quantity: </B></FONT><input type=\"text\" name=\"app1 Quantity\" size=\"5\" value=\"$app1quantity\">";
print "</td>";
print "</TR>";
print "<TR>";
print "<td width=\"50%\">";

if ($app2 == 1) {
  print "<input type=\"checkbox\" name=\"app2\" value=\"ON\" checked><FONT FACE=\"Tahoma, Arial\" size=\"2\"><B>app 2</B></FONT>";
} else {
  print "<input type=\"checkbox\" name=\"app2\" value=\"ON\"><FONT FACE=\"Tahoma, Arial\" size=\"2\"><B>app 2</B></FONT>";
}

print  <<TO_END2;
                  <td width="50%">
                    <FONT FACE="Tahoma, Arial" size="2"><B>Quantity: </B></FONT><input type="text" name="app 2 Quantity" size="5" value="$app2quantity">
                  </td>
                </tr>
                <tr>
                  <td width="50%">
                    <FONT FACE="Tahoma, Arial" size="2"><B>Shipping Method:</B></FONT>
                  </td>
                  <td width="50%">
                    <select size="1" name="Shipping Method">
TO_END2

if ($shippingmethod eq 'Priority (3-5 days, $4.05)') {
  print "<option selected>Priority (3-5 days, \$4.05)</option>";
} else {
  print "<option>Priority (3-5 days, \$4.05)</option>";
}

if ($shippingmethod eq 'Next Day ($12.70)') {
  print "<option selected>Next Day (\$12.70)</option>";
} else {
  print "<option>Next Day (\$12.70)</option>";
}

print <<TO_END3;
                    </select>
                  </td>
                </tr>
                <tr>
                  <td width="50%">
                    <FONT FACE="Tahoma, Arial" size="2"><B>Payment Method:</B></FONT>
                  </td>
                  <td width="50%">
                    <select size="1" name="Payment Method">
TO_END3

if ($paymentmethod eq 'Cash') {
  print "<option selected>Cash</option>";
} else {
  print "<option>Cash</option>";
}

if ($paymentmethod eq 'Check') {
  print "<option selected>Check</option>";
} else {
  print "<option>Check</option>";
}

print <<TO_END4;
                    </select>
                  </td>
                </tr>
                <tr>
                  <td width="50%">
                    <FONT FACE="Tahoma, Arial" size="2">Comments (optional):</FONT>
                  </td>
                  <td width="50%">
                    <TEXTAREA NAME="Comments" ROWS=3 COLS=25>$comments</TEXTAREA>
                  </td>
                </tr>
              </table>
              </center>
            </div>
            <BR>
            <div align="center">
              <center>
              <table border="0" width="30%">
                <tr>
                  <td width="50%">
                    <input type="reset" value="Reset" name="reset">
                  </td>
                  <td width="50%">
                    <input type="submit" value="Preview" name="preview">
                  </td>
                </tr>
              </table>
              </center>
            </div>
          </form>
TO_END4
} else {
  print <<TO_END5;
          <form method="POST" action="/cgi-bin/submit.pl">
            <div align="center">
            <center>
            <table border="0" width="75%">
              <tr>
                <td width="50%">
                  <FONT FACE="Tahoma, Arial" size="2"><B>First Name:</B></FONT>
                </td>
                <td width="50%">
                  <FONT FACE="Tahoma, Arial" size="2"><B>$firstname</B></FONT>
                  <input type="hidden" name="First Name" value="$firstname">
                </td>
              </tr>
              <tr>
                <td width="50%">
                  <FONT FACE="Tahoma, Arial" size="2"><B>Last Name:</B></FONT>
                </td>
                <td width="50%">
                  <FONT FACE="Tahoma, Arial" size="2"><B>$lastname</B></FONT>
                  <input type="hidden" name="Last Name" value="$lastname">
                </td>
              </tr>
              <tr>
                <td width="50%">
                  <FONT FACE="Tahoma, Arial" size="2"><B>Street Address 1:</B></FONT>
                </td>
                <td width="50%">
                  <FONT FACE="Tahoma, Arial" size="2"><B>$streetaddress1</B></FONT>
                  <input type="hidden" name="Street Address 1" value="$streetaddress1">
                </td>
              </tr>
              <tr>
                <td width="50%">
                  <FONT FACE="Tahoma, Arial" size="2">Street Address 2 (optional):</FONT>
                </td>
                <td width="50%">
                  <FONT FACE="Tahoma, Arial" size="2"><B>$streetaddress2</B></FONT>
                  <input type="hidden" name="Street Address 2" value="$streetaddress2">
                </td>
              </tr>
              <tr>
                <td width="50%">
                  <FONT FACE="Tahoma, Arial" size="2"><B>City:</B></FONT>
                </td>
                <td width="50%">
                  <FONT FACE="Tahoma, Arial" size="2"><B>$city</B></FONT>
                  <input type="hidden" name="City" value="$city">
                </td>
              </tr>
              <tr>
                <td width="50%">
                  <FONT FACE="Tahoma, Arial" size="2"><B>State/Province/Region:</B></FONT>
                </td>
                <td width="50%">
                  <FONT FACE="Tahoma, Arial" size="2"><B>$state</B></FONT>
                  <input type="hidden" name="State" value="$state">
                </td>
              </tr>
              <tr>
                <td width="50%">
                  <FONT FACE="Tahoma, Arial" size="2"><B>Zip/Postal Code:</B></FONT>
                </td>
                <td width="50%">
                  <FONT FACE="Tahoma, Arial" size="2"><B>$zipcode</B></FONT>
                  <input type="hidden" name="Zip Code" value="$zipcode">
                </td>
              </tr>
              <tr>
                <td width="50%">
                  <FONT FACE="Tahoma, Arial" size="2">E-Mail Address (optional):</FONT>
                </td>
                <td width="50%">
                  <FONT FACE="Tahoma, Arial" size="2"><B>$email</B></FONT>
                  <input type="hidden" name="EMail" value="$email">
                </td>
              </tr>
            </table>
            </center>
            </div>
            <BR>
            <div align="center">
              <center>
              <table border="0" width="75%">
                <tr>
                  <td width="50%">
                    <FONT FACE="Tahoma, Arial" size="2"><B><U>Product(s):</U></B></FONT>
                  </td>
                </tr>
TO_END5

if ($app1 == 1) {
  print <<TO_END6;
                <tr>
                  <td width="50%">
                    <FONT FACE="Tahoma, Arial" size="2"><B>app 1</B></FONT>
                    <input type="hidden" name="app1" value=1>
                  </td>
                  <td width="50%">
                    <FONT FACE="Tahoma, Arial" size="2"><B>Quantity: $app1quantity</B></FONT>
                    <input type="hidden" name="app1 Quantity" value="$app1quantity">
                  </TD>
                </TR>
TO_END6
}

if ($app2 == 1) {
  print <<TO_END7;
                <tr>
                  <td width="50%">
                    <FONT FACE="Tahoma, Arial" size="2"><B>app 2</B></FONT>
                    <input type="hidden" name="app2" value=1>
                  </td>
                  <td width="50%">
                    <FONT FACE="Tahoma, Arial" size="2"><B>Quantity: $app2quantity</B></FONT>
                    <input type="hidden" name="app2 Quantity" value="$app2quantity">
                  </TD>
                </TR>
TO_END7
}

print <<TO_END8;
                  </td>
                </tr>
                <tr>
                  <td width="50%">
                    <FONT FACE="Tahoma, Arial" size="2"><B>Shipping Method:</B></FONT>
                  </td>
                  <td width="50%">
                    <FONT FACE="Tahoma, Arial" size="2"><B>$shippingmethod</B></FONT>
                    <input type="hidden" name="Shipping Method" value="$shippingmethod">
                  </td>
                </tr>
                <tr>
                  <td width="50%">
                    <FONT FACE="Tahoma, Arial" size="2"><B>Payment Method:</B></FONT>
                  </td>
                  <td width="50%">
                    <FONT FACE="Tahoma, Arial" size="2"><B>$paymentmethod</B></FONT>
                  </td>
                </tr>
                <tr>
                  <td width="50%">
                    <FONT FACE="Tahoma, Arial" size="2"><B>Grand Total:</B></FONT>
                  </td>
                  <td width="50%">
TO_END8

if ($app1 == 1) {
  if ($app1quantity < 5) {
    $total = $app1quantity * 20;
  } else {
      if ($app1quantity < 20) {
        $total = $app1quantity * 10;
      } else {
          if ($app1quantity < 50) {
            $total = $app1quantity * 6;
          } else {
              if ($app1quantity < 100) {
                $total = $app1quantity * 4;
              } else {
                  $total = $app1quantity * 2;
                }
            }
        }
    }
}

if ($app2 == 1) {
  if ($app2quantity < 20) {
    $total += $app2quantity * 12;
  } else {
      if ($app2quantity < 50) {
        $total += $app2quantity * 10;
      } else {
          if ($app2quantity < 100) {
            $total += $app2quantity * 8;
          } else {
              $total += $app2quantity * 6;
            }
        }
    }
}

if ($app1quantity + $app2quantity < 20) {
  if ($shippingmethod eq 'Priority (3-5 days, $4.05)') {
    $total += 4;
    $total = $total . "\.05";
  }

  if ($shippingmethod eq 'Next Day ($12.70)') {
    $total += 12;
    $total = $total . "\.70";
  }
}

print <<TO_END9;
                    <FONT FACE="Tahoma, Arial" size="2"><B>$total</B></FONT>
                    <input type="hidden" name="Total" value="$total">
                    <input type="hidden" name="Payment Method" value="$paymentmethod">
                  </td>
                </tr>
                <tr>
                  <td width="50%">
                    <FONT FACE="Tahoma, Arial" size="2">Comments (optional):</FONT>
                  </td>
                  <td width="50%">
                    <FONT FACE="Tahoma, Arial" size="2"><B>$comments</B></FONT>
                    <input type="hidden" name="Comments" value="$comments">
                  </td>
                </tr>
              </table>
              </center>
            </div>
            <BR>
            <div align="center">
              <center>
              <table border="0" width="30%">
                <tr>
                  <td width="50%">
                    <input type="Button" value="Back" onclick="history.back()">
                  </td>
                  <td width="50%">
                    <input type="submit" value="Submit" name="submit">
                  </td>
                </tr>
              </table>
              </center>
            </div>
          </form>
TO_END9
}

print <<TO_END10;
          <p align="center"><img border="0" src="bar.jpg" width="311" height="8"></p>
        </td>
      </tr>
    </table>
  </BODY>
</HTML>
TO_END10
exit;
« Last Edit: April 21, 2009, 08:29:29 PM by d0gyears »

Offline d0gyears

  • Space Explorer
  • ***
  • Posts: 9
Re: Perl scripts
« Reply #3 on: April 21, 2009, 08:27:50 PM »
submit.pl:
---------
#!/usr/bin/perl -tW

use CGI qw(:standard);

$amount;

open(F, ">> /order.txt");

my %form;
foreach my $p (param()) {
  if ($p ne "back" and $p ne "submit" and param($p) ne '') {
    $form{$p} = param($p);
    print F "$p: $form{$p}\n";

    if ($p eq "Total") { $amount = param($p); }

        print "Location: /thankyou.html\n\n";
      }
    }
  }
}

print F "\n-\n\n";
close(F);

exit;

Offline scanman20

  • Senior Moderator
  • Über Jedi
  • *****
  • Posts: 1556
    • http://www.notonebit.com
Re: Perl scripts
« Reply #4 on: April 22, 2009, 05:09:20 AM »
You'd probably have better luck posting this in the Perl forum  :notme:
Even a broken clock is right twice a day.
NotOneBit.com
MCSE - MCSA - MCP (<- unused since 2006!)

Offline d0gyears

  • Space Explorer
  • ***
  • Posts: 9
Re: Perl scripts
« Reply #5 on: April 23, 2009, 04:33:19 PM »
You'd probably have better luck posting this in the Perl forum  :notme:

I didn't see it. Mod, can you please move this thread?

Offline d0gyears

  • Space Explorer
  • ***
  • Posts: 9
Re: Perl scripts
« Reply #6 on: July 08, 2009, 12:18:53 PM »
Anyone?

Just a quick skim for any major security issues?

Offline d0gyears

  • Space Explorer
  • ***
  • Posts: 9
Re: Perl scripts
« Reply #7 on: April 04, 2010, 10:19:28 AM »
Can someone please take 2 minutes so that my website doesn't get compromised?
I'm not asking for a thorough examination, just a quick skim for any obvious major problems.
I would really appreciate it.
« Last Edit: April 04, 2010, 10:22:24 AM by d0gyears »

Offline MrPhil

  • Senior Moderator
  • Berserker Poster
  • *****
  • Posts: 6404
Re: Perl scripts
« Reply #8 on: April 04, 2010, 11:58:34 AM »
I won't claim to be experienced enough in Perl to give you a definitive answer, but the general path of attack by a hacker would be to "inject" code into user input fields, and if you don't filter them out or otherwise negate them, they could do nasty things with this code.

Inputs used in an email: inject mail commands such as a large list of addressees and some spam content, that gets included into an email header because you don't have a blank line or whatever between header fields and stuff that the user may have entered.

Inputs used in a database query: inject SQL commands such as OR 1=1 into a WHERE field, to select all records and not just the desired one. The usual protection here is to escape quotes (\') and wrap quotes around input values used in a query, e.g., AND customer_id = '$customer' rather than AND customer_id = $customer.

Inputs used for page output: inject HTML tags into text so that, for example, a Flash movie could be embedded. The protection here is to change < to &lt;, etc., so that HTML tags in the input are disabled.

I looked over your two files and nothing jumped out at me as obvious vulnerabilities, but as I said, I'm no Perl expert. Some of the coding, such as
Code: [Select]
  if ($shippingmethod eq 'Next Day ($12.70)') {
    $total += 12;
    $total = $total . "\.70";
  }
looks very strange to me. I can't understand what you're doing... are you trying to add $12.70 to the total cost? You're adding a number 12, and then concatenating a string ".70". If your total was an integer, that might work, but if it already has a decimal fraction, I would think it would do strange things. The lack of comments to tell what the code is doing and the lack of consistent indentation are also unhelpful -- it's difficult to tell what the flow is and why things are being done with the data.

I just can't tell what's being done in submit.pl. It appears to be writing out a .txt file and then something involving an HTML file. Is that "Location" an HTTP header, called multiple times? If there are any vulnerabilities to code injected into your forms, it may be further down the line, in files you haven't shown.

Quote
The people at the Lunarpages helpdesk aren't allowed to help (I have no idea why?)
They are supposed to keep the servers running and that's all. If they were providing free help for everyone's applications, they would be overwhelmed with work and LP would have to greatly raise its prices to increase the number of support staff.

Have you been running this code for a whole year? If so, and nothing odd has happened yet, it's probably safe code.
Visit My Site

E-mail Me
-= From the ashes shall rise a sooty tern =-

Offline d0gyears

  • Space Explorer
  • ***
  • Posts: 9
Re: Perl scripts
« Reply #9 on: April 04, 2010, 10:36:02 PM »
I won't claim to be experienced enough in Perl to give you a definitive answer, but the general path of attack by a hacker would be to "inject" code into user input fields, and if you don't filter them out or otherwise negate them, they could do nasty things with this code.

Inputs used in an email: inject mail commands such as a large list of addressees and some spam content, that gets included into an email header because you don't have a blank line or whatever between header fields and stuff that the user may have entered.

Inputs used in a database query: inject SQL commands such as OR 1=1 into a WHERE field, to select all records and not just the desired one. The usual protection here is to escape quotes (\') and wrap quotes around input values used in a query, e.g., AND customer_id = '$customer' rather than AND customer_id = $customer.

Inputs used for page output: inject HTML tags into text so that, for example, a Flash movie could be embedded. The protection here is to change < to &lt;, etc., so that HTML tags in the input are disabled.

I looked over your two files and nothing jumped out at me as obvious vulnerabilities, but as I said, I'm no Perl expert. Some of the coding, such as
Code: [Select]
  if ($shippingmethod eq 'Next Day ($12.70)') {
    $total += 12;
    $total = $total . "\.70";
  }
looks very strange to me. I can't understand what you're doing... are you trying to add $12.70 to the total cost? You're adding a number 12, and then concatenating a string ".70". If your total was an integer, that might work, but if it already has a decimal fraction, I would think it would do strange things. The lack of comments to tell what the code is doing and the lack of consistent indentation are also unhelpful -- it's difficult to tell what the flow is and why things are being done with the data.

I just can't tell what's being done in submit.pl. It appears to be writing out a .txt file and then something involving an HTML file. Is that "Location" an HTTP header, called multiple times? If there are any vulnerabilities to code injected into your forms, it may be further down the line, in files you haven't shown.

Quote
The people at the Lunarpages helpdesk aren't allowed to help (I have no idea why?)
They are supposed to keep the servers running and that's all. If they were providing free help for everyone's applications, they would be overwhelmed with work and LP would have to greatly raise its prices to increase the number of support staff.

Have you been running this code for a whole year? If so, and nothing odd has happened yet, it's probably safe code.

First, thank you for taking the time to give me a hand. I was starting to lose hope. Okay--I already had lost hope  :D

You are correct about the portion of code you pointed out. I am adding the shipping cost to the total - $12.70 or $4.05, depending on the customer's choice. Should this have been written in a different manner?

These are the only two Perl scripts that I use for the checkout process. Submit.pl is the second half, where the customer confirms the order. Once they confirm the order, the details they entered are saved to a text file, and the customer is directed to the file 'thankyou.html.'

Again, I have no experience with Perl. I simply don't have time to take up learning the ins-and-outs of another programming language. That is why I greatly appreciate any help that I can get here.

Offline MrPhil

  • Senior Moderator
  • Berserker Poster
  • *****
  • Posts: 6404
Re: Perl scripts
« Reply #10 on: April 05, 2010, 06:14:22 AM »
I'm kind of surprised that
Code: [Select]
$total += 12.70;didn't work for you. If $total is a number (integer or real), it ought to work. The code you had just concatenates a ".70" on to the end of a string. If that string is an integer (e.g., 35), it should be the same as adding ".70", but if it's already a real number (e.g., 35.20) you'll probably get "35.20.70" as a result.

As far as the "safety" of the code goes, I listed three areas to investigate -- if user input is being used for a database query, for HTML output, or for email content; there are certain things to watch out for or guard against. If your user input is being printed into a file, how does that file get used later on? If it's only read by a human, they should be able to spot any funny business. If it's read into some sort of automated processing, it's possible that bad input could cause problems.
Visit My Site

E-mail Me
-= From the ashes shall rise a sooty tern =-

Offline d0gyears

  • Space Explorer
  • ***
  • Posts: 9
Re: Perl scripts
« Reply #11 on: April 05, 2010, 10:49:04 AM »
As far as the "safety" of the code goes, I listed three areas to investigate -- if user input is being used for a database query, for HTML output, or for email content; there are certain things to watch out for or guard against. If your user input is being printed into a file, how does that file get used later on? If it's only read by a human, they should be able to spot any funny business. If it's read into some sort of automated processing, it's possible that bad input could cause problems.

These two Perl scripts are it. There's no SQL database or anything like that being used. A customer enters their details and clicks 'Preview', then their ordering details are displayed and they confirm the order, and lastly, they are redirected to 'thankyou.html' and their details are saved to a text file on the server. The text file is not used in any way except to be manually opened and read by the admin.