Tuesday, February 19, 2008

Backend Processing Emails Submitted During Maintenance

Hey again,

Today, we're going to take a look at the Perl script that we redirected to, in the HTML form we created in yesterday's post on collecting emails on a site maintenance page.

The script below is kept fairly simple, as its only purpose is to collect email addresses and store them safely, rather than verify that the email addresses are proper. That functionality can be worked in to this script if you like. Generally, I'll throw that overhead into a third script, since we'll have to process all these requests for notification once the site comes back up and this Perl script can't handle that automatically. An example of such an email correctness-checking script can be found in a previous post we did on checking for valid email addresses in CGI forms.

You may notice that the Perl script you find below you on the page seems somewhat archaic. This is for a reason. We chose not to employ any modules like the old-style cgi.pl or the newer CGI.pm in favor of manual environment (ENV) parsing, so that this script would work on older machines and OS's, as well as the latest and greatest versions of Linux or Unix (insofar as they support Perl).

The only two other things we make sure to do, which are important no matter what backend scripting language you choose to process your information, are to:

1. Never act directly on the form input. We simply dish it off to a file. This is a basic security measure to ensure that no one (well, probably almost no one ;) can use your backend script to execute code directly. This script isn't the best example of how that can go bad, but you never want to "run" any form elements you're receiving, if at all possible. Depending upon your webserver, bugs, abnormalities, privilege, etc, this could cause you some major headaches.

2. Read in the HTML thank you page from an external source rather than embed it in the page. This goes hand in hand, sometimes, with the "no direct execution" rule. By reading in a static file that we've written ourselves, and keep in a secure location, it's very unlikely that an outside user will be able to manipulate our system using our backend script. At the most basic level, it makes it more difficult to compromise our webserver or system by not dynamically generating content.

Best wishes and enjoy :)

Creative Commons License

This work is licensed under a
Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License

#! /usr/bin/perl

# Simple Form Parser
# Nothing Special :)
# 2008 - Mike Golvach - eggi@comcast.net
# Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License

print "Content-type: text/html\n\n";
read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});

@pairs = split(/&/, $buffer);
foreach $pair (@pairs) {
($name, $value) = split(/=/, $pair);
$value =~ tr/+/ /;
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$form{$name} = $value;

chop($today=`date '+%m/%d/%Y'`);
$email_file_name = ">>/full/path/to/file/where/you/will/store/emails.txt";
open (EMAILFILE,$email_file_name);
print EMAILFILE $today,"",$form{'email'},"","\n";

$fname = "$html_dir/thanks_for_your_submission.html";

open (OFILE,$fname) ;
while(<OFILE>) {
print $_;

, Mike