Query String Problem 1

[audiopro]

I have used the CGI module quite a lot but never encountered this before.
A submission to Paypal returns the name of a script to run when a transaction is successful (success.cgi), with a few vars in the query string.
This is the address bar display, with the site name removed.

[URL unfurl="true"]http://www.sitename/cgi-bin/success.cgi?toot=tutty/enchanti.tut&comp=chant&ino=5016&[/URL]

The script starts the same way as countless other scripts.

#!/usr/bin/perl
use CGI::Carp qw(fatalsToBrowser);

use Time::Local;
use warnings;
use strict;
use CGI;
use DBI;
use HTML::Template;
my $query = new CGI;
print "Content-type: text/html\n\n";	# prepare for HTML output

	my $COMPANY=$query->param('comp') || '';
	my $TUTNAME=$query->param('toot') || '';
	my $INO=$query->param('ino') || '';

It appears that the query string is not being decoded as

print "co $COMPANY<br>tut $TUTNAME<br>in $INO<br>";

only prints

co
tut
in

Print the query string

print $ENV{'QUERY_STRING'};

=

toot=tutty/enchanti.tut&comp=chant&ino=5016&

So the query string contains the expected data, there is no line feed etc at the end causing the problem.
If I remove the last char from the address line, whatever it might be and refresh the page, the query string is decoded.

What am I missing?



Keith

http://www.studiosoft.co.uk

 

[PinkeyNBrain]

That trailing '&' sign may be the root of the problem. The system may be expecting to find an additional variable and when it can't, silently quits working. I've worked with Apache a little and various error messages can be turned off - the goal being to save the customer from seeing debug-level messages they can't do much of anything with other than worry if they're being hacked.

Two ideas to try:

 if ($ENV{'QUERY_STRING'} =~ /\&$/) {
   $ENV{'QUERY_STRING'} .= "junk_var=junk_val" ;
};

or

 if ($ENV{'QUERY_STRING'} =~ /\&$/) {
   chop $ENV{'QUERY_STRING'} ;
};

... This is assuming you are able to modify a %ENV var. If not, can $query->param(xx) be directed to a variable other than $ENV{'QUERY_STRING'}

 

[audiopro]

Thanks, I'll try that when I have a moment.
It doesn't seem to matter what the last character is in the string, if I remove tha last one from the string, it is decoded by the CGI module. I did think that there was a stray line feed at the end but there is nothing odd at the end - all very peculiar.

I have got round it, for now, by splitting the $ENV manually.

Keith

http://www.studiosoft.co.uk

 

[MillerH]

How are you building your success URI? It contains two characters the '/' and '&' that should be CGI escaped.

use URI;

use strict;
use warnings;

my $uri = URI->new('[URL unfurl="true"]http://www.sitename/cgi-bin/success.cgi');[/URL]
$uri->query_form({
	toot => 'tutty/enchanti.tut',
	comp => 'chant',
	ino  => '5016&',
});
print $uri, "\n";

=prints
[URL unfurl="true"]http://www.sitename/cgi-bin/success.cgi?toot=tutty%2Fenchanti.tut&comp=chant&ino=5016%26[/URL]
=cut

Try the above as your success url.

- Miller

 

[audiopro]

The success URL is being loaded from a text file and then the individual site details are appended to the end of the string from additional variables.


I am obviously doing something wrong here as the following just adds a hash to the end of the URL.

my $uri = URI->new('[URL unfurl="true"]http://www.sitename/cgi-bin/success.cgi');[/URL]
$uri->query_form({
toot => $ComName,
comp => $SiteInfo{'sitename'},
ino => '$InvoiceNumber&',
});

print "$uri<br>";

Prints

http://www.sitename/cgi-bin/success.cgi?HASH(0xb72562bc)=

Keith

http://www.studiosoft.co.uk

 

[MillerH]

Must be an old version of the URI module. A hash instead of a hash reference will probably do the trick.

Also note that your $InvoiceNumber is not going to be interpolated as it currently stands.

use URI;

use strict;
use warnings;

my $uri = URI->new('[URL unfurl="true"]http://www.sitename/cgi-bin/success.cgi');[/URL]
$uri->query_form(
    toot => 'tutty/enchanti.tut',
    comp => 'chant',
    ino  => '5016&',
);
print $uri, "\n";

=prints
[URL unfurl="true"]http://www.sitename/cgi-bin/success.cgi?toot=tutty%2Fenchanti.tut&comp=chant&ino=5016%26[/URL]
=cut

 

[audiopro]

Also note that your $InvoiceNumber is not going to be interpolated as it currently stands

Thanks
I did spot that, the example above was a bit of a cut and paste job.

I think I will just stick to decoding the query string manually for now, it works as it is working properly. I was more interested why it didn't work, for future reference.

Keith

http://www.studiosoft.co.uk

 

[MillerH]

My guess is that if you have an old version of URI module, you might have an old one of CGI as well. That could by why it's failing to handle the malformed nature of your CGI string. The fact that it contains unescaped characters and ends with a &.

Just an idea.

- Miller

 

[audiopro]

It decodes CGI strings ending in & when they come from one of my own scripts, it is just this one being returned by Paypal.

Keith

http://www.studiosoft.co.uk

 

[MillerH]

Really don't have enough information to solve this it seems.

Another random guess. Paypal is calling back to your script in POST mode so the action url isn't being parsed by CGI, only the POST variables.

I give this a < 10% of being true, but would need to actually play around to debug this probably.

- Miller

 

[audiopro]

Thanks but I think it will remain a mystery.
I have set this script up many times but the previous URL's didn't have any variables appended to the query string, so the success script was called without problems.
This version is used by quite a few different websites so I have had to include the variables in order to identify which website and invoice number the transaction refers to so I can display a receipt with the correct information.
It is working with the manual decoding so I will leave it alone.

Keith

http://www.studiosoft.co.uk