Hi guys, I come here as a last resort with this one.

I have tried everything I can think of and have spent countless hours googling

I am a perl n00b...



I have a Perl Script which sets a variable

$ml = "test";

Perl Likes that line, and it works witout errors

But my problem is that I need to use html in that string.

What I need to do is something like this (example)

$ml = "<a href=test.html>test.html</a>";

Perl Ignores that line as if it does not exist. It does not output any errors

Are there any perl/cgi experts out there that know where I am going wrong?

Thanks

-Nick

: Hi guys, I come here as a last resort with this one.
:
: I have tried everything I can think of and have spent countless hours googling
:
: I am a perl n00b...
:
:
:
: I have a Perl Script which sets a variable
:
: $ml = "test";
:
: Perl Likes that line, and it works witout errors
:
: But my problem is that I need to use html in that string.
:
: What I need to do is something like this (example)
:
: $ml = "<a href=test.html>test.html</a>";
:
: Perl Ignores that line as if it does not exist. It does not output any errors
:
: Are there any perl/cgi experts out there that know where I am going wrong?
:
: Thanks
:
: -Nick
:

I'm assuming you're wanting to print this out in an HTML document somewhere. I don't see anything wrong with that line (but that doesn't mean it's right). The only thing I can think of is to make sure you're using the line:
print "Content-type: text/html\n\n";
You have to use that line before you print any html code to a page.

X

OK, some more info.

Its not a straighforward as a straight out print (I wish it was)

OK, heres what I am doing.

Using blat.exe, I am trying to get perl to send the variable as the message body (in HTML) in an email (sending an attachment is no good, as the message body is dynamic)

Now, I can make blat.exe do it (send an email in HTML) from command line - not a problem. So my problem lies elsewhere.

The script that I have will send that variable plain text fine as shown in the above example.

When I try to use ANY html in a variable / string , perl seems to skip it and doesn't send the email at all, but the script itself is not ending with any errors.

The only thing that I can narrow it down to is that I don't know how perl wants to have raw HTML code sitting in a string/variable... And as yet have had no luck in 2 days at finding any info where someone has used raw HTML in a perl string/variable

HELP!

Error has been resolved

After 2 whole days of freaking with this damn script, searching the net high and low (if that is possible) the error lay where the variable is used in a command-line for "blat"

I sat staring at the damn variable so long that I got tunnel vision!

-t $touser -s \"$subject\" -body $ml -html";

Should have been more like THIS!

-t $touser -s \"$subject\" -body \"$ml\" -html";

Thanks heaps for your help none the less. It is very appreciated!

-Nick

edit : If you need a PERL script, running on NT4, to send HTML formatted emails from "BLAT" I am now officially the person you should speak to :D *grumbles at being told to use perl on an NT server*

Cheers !

: Should have been more like THIS!
:
: -t $touser -s \"$subject\" -body \"$ml\" -html";
:
: Thanks heaps for your help none the less. It is very appreciated!
:
: -Nick
:
: edit : If you need a PERL script, running on NT4, to send HTML
: formatted emails from "BLAT" I am now officially the person you
: should speak to :D *grumbles at being told to use perl on an NT
: server*
If you're thinking of handing out code like that I kinda feel I should pop up and give security a mention. Imagine $touser contains "\ndel c:\*.*\n" - or any of the other variables for that matter. If anyone uses that based on input given from outside the script, there is a big security risk - someone could be able to execute arbitary commands very easily.

You'd be better off with something more like:-

open my $mail, "| c:\path\to\blat.exe -html -t";
print $mail "To: $touser\n";
print $mail "Subject: $subject\n\n";
print $mail "$body";
close $mail;

Notice now we don't have user variables on the command line. Yes, I know changing it is a pain now you've got it working. Instead, think of how much of a pain it'll be when somebody starts executing various "interesting" commands on the server you script is running on.

Jonathan

###
for(74,117,115,116){$::a.=chr};(($_.='qwertyui')&&
(tr/yuiqwert/her anot/))for($::b);for($::c){$_.=$^X;
/(p.{2}l)/;$_=$1}$::b=~/(..)$/;print("$::a$::b $::c hack$1.");

I will spend some time securing that script a little better.

I'm a bit of a newbie and my code is pretty rough, but considering that a few days ago I didn't know anything about Perl &/or blat I think i'm doing pretty good.

Thanks for the advice Jonathan, much appreciated.

-Nick

: I will spend some time securing that script a little better.
Great, thank you. You may find it strange I thank you for taking my advice, but I feel anything we can do to stop the SPAMmers has gotta be good. (Yes, insecure formmail scripts are easily abused by spammers - very easily).

: I'm a bit of a newbie and my code is pretty rough, but considering
: that a few days ago I didn't know anything about Perl &/or blat I
: think i'm doing pretty good.
That's cool. When I was a newbie to web stuff I was a little ignorant on the security side, and some of the security holes in my first scripts make me cringe now.

I wrote an article on CGI security, mostly with Perl in mind.
http://www.jwcs.net/~jonathan/cgisecurity.htm

It's been a while since I last updated it; I'm hoping to fix it up with some more potential holes soon. For now it covers a fair number of things that can go badly wrong, and specifically mentions SPAMmers abusing servers through insecure CGI.

Jonathan

###
for(74,117,115,116){$::a.=chr};(($_.='qwertyui')&&
(tr/yuiqwert/her anot/))for($::b);for($::c){$_.=$^X;
/(p.{2}l)/;$_=$1}$::b=~/(..)$/;print("$::a$::b $::c hack$1.");

Jonathan, thanks very much for your help and advice.
I have taken your warning and implemented a little bit more security into the script I have been working on.

I must say that your security guide gave me a lot of ideas on how to lock my code down a bit better. And hey if it only stops one SPAMmer, then it was worth it.

When I say down and thought about how this script could be so easily mis-used - it made me get to wondering how many other perl scripts are out there with zero security being hammered by spammers.

I have also been the victim of an open relay spam attack in the last month (through no fault of my own - I inherited an insecure system when I began working here). That was quickly turned off, but the technique is so damn simple - we will never fight spam unti we have holeproof systems and scripts that are harder to break.

Anyway, I have started to ramble. Jonathan - keep up the great work and thankyou very much for your kind advice!

-Nick Bajic

: Jonathan, thanks very much for your help and advice.
: I have taken your warning and implemented a little bit more security
: into the script I have been working on.
You're welcome, and that's great.

: I must say that your security guide gave me a lot of ideas on how to
: lock my code down a bit better. And hey if it only stops one
: SPAMmer, then it was worth it.
Indeed. Because one SPAMmer will generally affect a lot of others.

: When I say down and thought about how this script could be so easily
: mis-used - it made me get to wondering how many other perl scripts
: are out there with zero security being hammered by spammers.
All copies of Matt's Script Archive's formmail.pl, for starters. That one was probably the first "famous" formmail script, but unfortunately contained SPAM holes. Fixes were released, but of course some people don't update... These days a fair few hosting companies just ban the script outright.

: I have also been the victim of an open relay spam attack in the last
: month (through no fault of my own - I inherited an insecure system
: when I began working here). That was quickly turned off, but the
: technique is so damn simple - we will never fight spam unti we have
: holeproof systems and scripts that are harder to break.
There's no such thing as a holeproof system, IMHO, but harder to break is what we DO need. The only time I got particularly annoyed at the guys at the datacenter our company uses is when they deployed a server for us with an open relay (they're generally very good). Within a day or two, it'd been located, exploited and blacklisted. Slowed down deployment of it for a good while; we had to get it off the blacklists, blah.

: Anyway, I have started to ramble. Jonathan - keep up the great work
: and thankyou very much for your kind advice!
You can be sure I'll keep hacking away at stuff, no worries there.

Jonathan

###
for(74,117,115,116){$::a.=chr};(($_.='qwertyui')&&
(tr/yuiqwert/her anot/))for($::b);for($::c){$_.=$^X;
/(p.{2}l)/;$_=$1}$::b=~/(..)$/;print("$::a$::b $::c hack$1.");