[ back to toc ]

Using Form Data For Actual File Names

Date: 2002/06/17 15:32

I am trying to write a CGI script that uploads a file, which I have it
doing. However, I can only get it working if I hard code in the file
path. I want to make the filename equivalent to values entered by the

To be exact, the user is uploading a picture. On the same form they place
their name. I want to have a script that uploads their picture and places
in a image directory. The file uploaded is placed in the directory and
named theirName.ext

Here is my code:

use CGI;
$query = new CGI;
$ERROR = "";

$fName = $query->param("txtFirst");
$lName = $query->param("txtLast");
$handle = $query->param("photo");

if ($handle ne "") {
$uploadDir= "/campbel8/www/guestbook/photos";
$fileName = "$fName$lName.jpg";
$sThePath = "$uploadDir/$fileName";

open PHOTO_FILE ">$sThePath";
while (<$handle>) {
I do not really unerstand what the problem is with the solution. The
directory where the pictures are put is hard coded in the Perl program and
this is something really good. If you get the directory where the pictures
are put from the form data then you may soon end up with a defaced,
cracked site. Thus DO HAVE your picture directory hardcoded in the Perl
script. This is my advice.

It is also would be a good idea to hard code the allowed file extensions
and after the file is uploaded call 'chmod' to alter the permission of the
file to minimize the risk that the uploaded file with some content that
the untrusted uploader created is ever run on the server.


[ back to toc ]