quick newbie question on variables. please answer

Cliff Crawford cjc26 at nospam.cornell.edu
Sun Jun 11 20:52:03 EDT 2000 

* Toy <gee308 at mediaone.net> menulis:
| Im a programming newbie, so most of these concepts are basic to me.  I'm
| trying to write really basic  CGI programs just to get started.  How
| would I pass a text variable that a user entered to find a man page for
| a tool?

If you're writing a CGI script, then it's a little more complicated to
get input than it would be from a command-line script.  First, you need
to have a web page with a form on it, like the following:

<FORM ACTION="myscript.cgi" METHOD=GET>
<INPUT TYPE=TEXT NAME="cmd">
<INPUT TYPE=SUBMIT>
<INPUT TYPE=RESET>
</FORM>

The first INPUT element creates a text entry box called "cmd", while
the other two INPUT elements create the submit and reset buttons.

Then, in myscript.cgi, you need to use the cgi module to access the
value of "cmd":

import cgi

form = cgi.FieldStorage()
command = form["cmd"].value

See <http://www.python.org/doc/current/lib/module-cgi.html> for more
help with the cgi module.


| This is the code I wrote (startx is just a command I wrote in,
| but how would I write it so any tool could be inputed) the 3rd line od
| code is written wrong for sure:
| 
| #!/usr/bin/python
| import commands
| b = commands.getstatusoutput('man %x!') % startx

If you use the cgi code above, then this line would become:

b = commands.getstatusoutput('man %s' % command)

Note that you need to use %s instead of %x, since it's a string that
you're inserting, and that the "% command" part has to be >inside< the
parentheses.


| print = b
| 
|   I know that this is a real basic question, but I am 100% new to
| programming and I am self teaching.  Also, are ther large security risks
| if this program is on a web server(if so, how could I fix it?)?

Well you have to make sure that the user doesn't try to execute something
like:

man `rm -rf /; echo startx`

(Of course after running that, there wouldn't BE any man pages to read
;)

To catch this, you could use the string module to check and make sure
that the value input by the user is a single word, without any "funny"
characters like ` in it.


-- 
cliff crawford    -><-    http://www.people.cornell.edu/pages/cjc26/
                          Synaesthesia now!            icq 68165166

More information about the Python-list mailing list