Tony Cook > Imager-0.97 > samp-form.cgi

Download:
Imager-0.97.tar.gz

Annotate this POD

Website

CPAN RT

New  39
Open  16
View/Report Bugs
Source   Latest Release: Imager-1.000

NAME ^

samp-form.cgi - demonstrates interaction of HTML generation with image generation

SYNOPSIS ^

  /cgi-bin/samp-form.cgi?color=RRGGBB

DESCRIPTION ^

This is the HTML side of a sample for Imager that demonstrates generating an image linked from a HTML form.

See samp-image.cgi for the image generation side of this sample.

One common mistake seen in generating images is attempting to generate the image inline, for example:

  # DON'T DO THIS, IT'S WRONG
  my $img = Imager->new(...);
  ...  draw on the image  ...  
  print '<img src="',$img->write(fd=>fileno(STDOUT), type="jpeg"),'" />';

This sample code demonstrates one of the possible correct ways to generate an image linked from a HTML page.

This has the limitation that some processing is done twice, for example, the validation of the parameters, but it's good when the same image will never be generated again.

The basic approach is to have one program generate the HTML which links to a second program that generates the image.

This sample is only intended to demonstrate embedding a generated image in a page, it's missing some best practice:

ANOTHER APPROACH ^

A different way of doing this is to have the HTML generation script write the images to a directory under the web server document root, for example, the code from # START LINK GENERATION to # END LINK # GENERATION in samp-form.cgi would be replaced with something like:

  if ($color && !keys %errors) {
    # make a fairly unique filename
    # in this case we could also use:
    #   my $filename = lc($color) . ".jpg";
    # but that's not a general solution
    use Time::HiRes;
    my $filename = time . $$ . ".jpg";
    my $image_path = $docroot . "/images/dynamic/" . $filename;
    my $image_url = "/images/dynamic/" . $filename;
    
    my $im = Imager->new(xsize=>40, ysize=>40);
    $im->box(filled=>1, color=>$color);

    $im->write(file=>$image_path)
      or die "Cannot write to $image_path:", $im->errstr, "\n";

    print <<HTML;
  <img src="$image_url" width="40" height="40" alt="color sample" />
  HTML
  }

This has the advantage that you aren't handling a second potentially expensive CGI request to generate the image, but it means you need some mechanism to manage the files (for example, a cron job to delete old files), and you need to make some directory under the document root writable by the user that your web server runs CGI programs as, which may be a security concern.

Also, if you're generating large numbers of large images, you may end up using significant disk space.

SECURITY ^

It's important to remember that any value supplied by the user can be abused by the user, in this example there's only one parameter, the color of the sample image, but in a real application the values supplied coule include font filenames, URLs, image filename and so on. It's important that these are validated and in some cases limited to prevent a user from using your program to obtain access or deny access to things they shouldn't be able to.

For example of limiting a parameter, you might have a select like:

  <!-- don't do this, it's wrong -->
  <select name="font">
    <option value="arial.ttf">Arial</option>
    <option value="arialb.ttf">Arial Black</option>
    ...
  </select>

and then build a font filename with:

  my $fontname = $cgi->param('font');
  my $fontfile=$fontpath . $fontname;

but watch out when the user manually supplies font with a value like ../../../some_file_that_crashes_freetype.

So limit the values and validate them:

  <select name="font">
    <option value="arial">Arial</option>
    <option value="arialb.ttf">Arial Bold</option>
    ...
  </select>

and code like:

  my $fontname = $cgi->param('font');
  $fontname =~ /^\w+$/ or $fontname = 'arial'; # use a default if invalid
  -e $fontpath . $fontname . ".ttf" or $fontname = 'arial';
  my $fontfile = $fontpath . $fontname . '.ttf';

or use a lookup table:

  my %fonts = (
    arial => "arial.ttf",
    arialb => "arialb.ttf",
    xfont_helv => "x11/helv.pfb",
    );
  ...

  my $fontname = $cgi->param('font');
  exists $fonts{$fontname} or $fontname = 'arial';
  my $fontfile = $fontpath . $fonts{$fontname};

Remember that with perl your code isn't in a sandbox, it's up to you to prevent shooting yourself in the foot.

AUTHOR ^

Tony Cook <tony@develop-help.com>

syntax highlighting: