Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Query String Problem 1

Status
Not open for further replies.

audiopro

Programmer
Apr 1, 2004
3,165
GB
I have used the CGI module quite a lot but never encountered this before.
A submission to Paypal returns the name of a script to run when a transaction is successful (success.cgi), with a few vars in the query string.
This is the address bar display, with the site name removed.
Code:
[URL unfurl="true"]http://www.sitename/cgi-bin/success.cgi?toot=tutty/enchanti.tut&comp=chant&ino=5016&[/URL]

The script starts the same way as countless other scripts.

Code:
#!/usr/bin/perl
use CGI::Carp qw(fatalsToBrowser);

use Time::Local;
use warnings;
use strict;
use CGI;
use DBI;
use HTML::Template;
my $query = new CGI;
print "Content-type: text/html\n\n";	# prepare for HTML output

	my $COMPANY=$query->param('comp') || '';
	my $TUTNAME=$query->param('toot') || '';
	my $INO=$query->param('ino') || '';

It appears that the query string is not being decoded as

Code:
print "co $COMPANY<br>tut $TUTNAME<br>in $INO<br>";

only prints
Code:
co
tut
in

Print the query string

Code:
print $ENV{'QUERY_STRING'};

=

toot=tutty/enchanti.tut&comp=chant&ino=5016&

So the query string contains the expected data, there is no line feed etc at the end causing the problem.
If I remove the last char from the address line, whatever it might be and refresh the page, the query string is decoded.

What am I missing?



Keith
 
That trailing '&' sign may be the root of the problem. The system may be expecting to find an additional variable and when it can't, silently quits working. I've worked with Apache a little and various error messages can be turned off - the goal being to save the customer from seeing debug-level messages they can't do much of anything with other than worry if they're being hacked.

Two ideas to try:
Code:
 if ($ENV{'QUERY_STRING'} =~ /\&$/) {
   $ENV{'QUERY_STRING'} .= "junk_var=junk_val" ;
};
or
Code:
 if ($ENV{'QUERY_STRING'} =~ /\&$/) {
   chop $ENV{'QUERY_STRING'} ;
};
... This is assuming you are able to modify a %ENV var. If not, can $query->param(xx) be directed to a variable other than $ENV{'QUERY_STRING'}
 
Thanks, I'll try that when I have a moment.
It doesn't seem to matter what the last character is in the string, if I remove tha last one from the string, it is decoded by the CGI module. I did think that there was a stray line feed at the end but there is nothing odd at the end - all very peculiar.

I have got round it, for now, by splitting the $ENV manually.

Keith
 
How are you building your success URI? It contains two characters the '/' and '&' that should be CGI escaped.

Code:
use URI;

use strict;
use warnings;

my $uri = URI->new('[URL unfurl="true"]http://www.sitename/cgi-bin/success.cgi');[/URL]
$uri->query_form({
	toot => 'tutty/enchanti.tut',
	comp => 'chant',
	ino  => '5016&',
});
print $uri, "\n";

=prints
[URL unfurl="true"]http://www.sitename/cgi-bin/success.cgi?toot=tutty%2Fenchanti.tut&comp=chant&ino=5016%26[/URL]
=cut

Try the above as your success url.

- Miller
 
The success URL is being loaded from a text file and then the individual site details are appended to the end of the string from additional variables.


I am obviously doing something wrong here as the following just adds a hash to the end of the URL.
Code:
my $uri = URI->new('[URL unfurl="true"]http://www.sitename/cgi-bin/success.cgi');[/URL]
$uri->query_form({
toot => $ComName,
comp => $SiteInfo{'sitename'},
ino => '$InvoiceNumber&',
});

print "$uri<br>";

Prints



Keith
 
Must be an old version of the URI module. A hash instead of a hash reference will probably do the trick.

Also note that your $InvoiceNumber is not going to be interpolated as it currently stands.

Code:
use URI;

use strict;
use warnings;

my $uri = URI->new('[URL unfurl="true"]http://www.sitename/cgi-bin/success.cgi');[/URL]
$uri->query_form(
    toot => 'tutty/enchanti.tut',
    comp => 'chant',
    ino  => '5016&',
);
print $uri, "\n";

=prints
[URL unfurl="true"]http://www.sitename/cgi-bin/success.cgi?toot=tutty%2Fenchanti.tut&comp=chant&ino=5016%26[/URL]
=cut
 
Also note that your $InvoiceNumber is not going to be interpolated as it currently stands
Thanks
I did spot that, the example above was a bit of a cut and paste job.

I think I will just stick to decoding the query string manually for now, it works as it is working properly. I was more interested why it didn't work, for future reference.

Keith
 
My guess is that if you have an old version of URI module, you might have an old one of CGI as well. That could by why it's failing to handle the malformed nature of your CGI string. The fact that it contains unescaped characters and ends with a &.

Just an idea.

- Miller
 
Really don't have enough information to solve this it seems.

Another random guess. Paypal is calling back to your script in POST mode so the action url isn't being parsed by CGI, only the POST variables.

I give this a < 10% of being true, but would need to actually play around to debug this probably.

- Miller
 
Thanks but I think it will remain a mystery.
I have set this script up many times but the previous URL's didn't have any variables appended to the query string, so the success script was called without problems.
This version is used by quite a few different websites so I have had to include the variables in order to identify which website and invoice number the transaction refers to so I can display a receipt with the correct information.
It is working with the manual decoding so I will leave it alone.

Keith
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top