[ale] ? and QUERY_STRING

Chuck Huber chuck at cehuber.org
Tue Aug 21 15:47:52 EDT 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Date: Tue, 21 Aug 2007 11:59:22 -0400
> From: "Michael B. Trausch" <mike at trausch.us>
> Subject: Re: [ale] ? and QUERY_STRING
> To: Atlanta Linux Enthusiasts <ale at ale.org>
> 
> Warren Myers wrote:
>> > the http string should look something like this:
>> > 
>> > http://server.some.tld/cgi-bin/script.pl?firstvar=73&secondvar=shpage
...
> 
> firstvar=73&secondvar=shpage
> 
> Then, you just parse the string into key=value pairs by breaking them at
> the & symbol (example in bash):
> 
>  cgi_args=$(echo ${QUERY_STRING}|tr \& '\n')
> 
> And then you can import them as shell varables, if you want (note: this
> can be insecure for crafted variables,

& separate name/value pairs.  equals separates each name from its value.
 In parsing it, you do have to watch out for expanded characters and
special characters (like '+' substitutes for ' ').  This is probably
going beyond the scope of your original question, but...

proccgi.c will do the parsing for you in a secure manner.  By "secure",
it expands special characters in both the variable name as well as its
value.  It handles POST as well as GET methods.  Form variables are
output to stdout in the form FORM_varname=value in such a way that they
can be eval'ed by a shell.

eval `/usr/local/bin/proccgi $*`

It came in handy for me in handling cgi bash scripts.
I can send you or post the source if you need it.  Or you can google for
proccgi.c.

Hope this helps.

Enjoy,
    - Chuck

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGy0FoiR3HaLbYCa4RAmTMAJ9f261jBI312l9ne5JHb22QNjIGHgCguUB1
jygdOY0zbzm1ziwWivjB3AI=
=NRGi
-----END PGP SIGNATURE-----



More information about the Ale mailing list