Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Interchange>
  3. users
RegEx Comparison
mihai at airdelights
Oct 9, 2020, 6:39 AM
Post #1 of 4 (611 views)
Permalink
Hello,

The following piece of code is supposed to compare the response message from an HTTP GET request to a value obtained from the previous webpage, using the CGI tag.

'res_msg' : variable which holds the response message
'order' : variable which holds the order number from the previous page

[if scratch res_msg =~ /[cgi order]/]
[warnings message="Tracking email for [cgi order] successfully resent"]
[/if]

If all goes well, the 'res_msg' will contain the order number. However, I cannot get the regex comparison to return true in the if statement. I have tried manually inputting the order number as follows...

[if scratch res_msg =~ /{actual order number}/]
[warnings message="Tracking email for [cgi order] successfully resent"]
[/if]

...which worked fine, meaning that the 'res_msg' variable is working fine. I can also see that the 'order' variable contains the order number since I am printing it in the warning message.

My question is, does the CGI tag do something funky to the text to where I cannot compare it in that manner? How would I go about extracting the order number from [cgi order] to be able to check it against 'res_msg'?

Any help or advice is greatly appreciated. Thank you.

Best,
Mihai Dan
Air Delights
mihai@airdelights.com

_______________________________________________
interchange-users mailing list
interchange-users@interchangecommerce.org
https://www.interchangecommerce.org/mailman/listinfo/interchange-users
Re: RegEx Comparison [ In reply to ]
mark at endpoint
Oct 9, 2020, 6:42 AM
Post #2 of 4 (611 views)
Permalink
On 10/9/20 9:39 AM, mihai@airdelights.com wrote:
> Hello,
>
> The following piece of code is supposed to compare the response message from an HTTP GET request to a value obtained from the previous webpage, using the CGI tag.
>
> 'res_msg' : variable which holds the response message
> 'order' : variable which holds the order number from the previous page
>
> [if scratch res_msg =~ /[cgi order]/]
> [warnings message="Tracking email for [cgi order] successfully resent"]
> [/if]
>
> If all goes well, the 'res_msg' will contain the order number. However, I cannot get the regex comparison to return true in the if statement. I have tried manually inputting the order number as follows...
>
> [if scratch res_msg =~ /{actual order number}/]
> [warnings message="Tracking email for [cgi order] successfully resent"]
> [/if]
>
> ...which worked fine, meaning that the 'res_msg' variable is working fine. I can also see that the 'order' variable contains the order number since I am printing it in the warning message.
>
> My question is, does the CGI tag do something funky to the text to where I cannot compare it in that manner? How would I go about extracting the order number from [cgi order] to be able to check it against 'res_msg'?
>
> Any help or advice is greatly appreciated. Thank you.

Mihai,

You can't use positional parameters when you need interpolation. You'll
have to restructure your [if] tag to use named parameters and put the
fields you require to be interpolated in quotes -- any of ', ", or |.

Thanks,
Mark
_______________________________________________
interchange-users mailing list
interchange-users@interchangecommerce.org
https://www.interchangecommerce.org/mailman/listinfo/interchange-users
Re: RegEx Comparison [ In reply to ]
mihai at airdelights
Oct 9, 2020, 6:59 AM
Post #3 of 4 (611 views)
Permalink
Hello Mark,

Thank you very much for the insight. Problem is fixed.

Best,
Mihai Dan

-----Original Message-----
From: "Mark Johnson" <mark@endpoint.com>
Sent: Friday, October 9, 2020 6:42am
To: interchange-users@interchangecommerce.org
Subject: Re: [ic] RegEx Comparison

On 10/9/20 9:39 AM, mihai@airdelights.com wrote:
> Hello,
>
> The following piece of code is supposed to compare the response message from an HTTP GET request to a value obtained from the previous webpage, using the CGI tag.
>
> 'res_msg' : variable which holds the response message
> 'order' : variable which holds the order number from the previous page
>
> [if scratch res_msg =~ /[cgi order]/]
> [warnings message="Tracking email for [cgi order] successfully resent"]
> [/if]
>
> If all goes well, the 'res_msg' will contain the order number. However, I cannot get the regex comparison to return true in the if statement. I have tried manually inputting the order number as follows...
>
> [if scratch res_msg =~ /{actual order number}/]
> [warnings message="Tracking email for [cgi order] successfully resent"]
> [/if]
>
> ...which worked fine, meaning that the 'res_msg' variable is working fine. I can also see that the 'order' variable contains the order number since I am printing it in the warning message.
>
> My question is, does the CGI tag do something funky to the text to where I cannot compare it in that manner? How would I go about extracting the order number from [cgi order] to be able to check it against 'res_msg'?
>
> Any help or advice is greatly appreciated. Thank you.

Mihai,

You can't use positional parameters when you need interpolation. You'll
have to restructure your [if] tag to use named parameters and put the
fields you require to be interpolated in quotes -- any of ', ", or |.

Thanks,
Mark
_______________________________________________
interchange-users mailing list
interchange-users@interchangecommerce.org
https://www.interchangecommerce.org/mailman/listinfo/interchange-users


_______________________________________________
interchange-users mailing list
interchange-users@interchangecommerce.org
https://www.interchangecommerce.org/mailman/listinfo/interchange-users
Re: RegEx Comparison [ In reply to ]
peter at pajamian
Oct 10, 2020, 2:14 AM
Post #4 of 4 (610 views)
Permalink
On 10/10/20 2:39 am, mihai@airdelights.com wrote:
> Hello,
>
> The following piece of code is supposed to compare the response message from an HTTP GET request to a value obtained from the previous webpage, using the CGI tag.
>
> 'res_msg' : variable which holds the response message
> 'order' : variable which holds the order number from the previous page
>
> [if scratch res_msg =~ /[cgi order]/]
> [warnings message="Tracking email for [cgi order] successfully resent"]
> [/if]

In addition to what Mark already said, this is a very bad idea. You're
introducing a code injection vulnerability here. Consider:

http://www.example.com/cgi-bin/mycart/mypage.html?order=%28%3F%7B%20code%20%7D%29

(note: code can be replaced above with any perl code).

I would recommend that you at least filter the cgi order variable to
remove non-numeric or non-alphanumeric chars, or find another way to
process it that doesn't end up interpreting what's inside a cgi variable
by the perl regex parser.


Peter
_______________________________________________
interchange-users mailing list
interchange-users@interchangecommerce.org
https://www.interchangecommerce.org/mailman/listinfo/interchange-users

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal