[freeside-devel] Re: Commissions template

ivan ivan at 420.am
Thu Aug 24 00:55:54 PDT 2000 

I had expected the agent tables to be more useful for commision-tracking
than the otaker field.  Very interesting.  Perhaps in your situation you'd
want the Agent to be setup automatically based on the otaker, rather than
selectable in the web interface.

A couple security problems pointed out below; otherwise looks fine. 

On Wed, Aug 23, 2000 at 09:23:39PM -0700, Jason Spence wrote:
> Hi -
> 
> Here's a template we added to Freeside to create commission reports for
> different Freeside accounts.  How's my code?
> 
> <snip>
> 
> #!/usr/bin/perl -Tw
> # commissions.cgi -- view commission schedule for each freeside user
> 
> use strict;
> use vars qw($cgi @customers $customer $i $tpl $page %vars $safe);
> use CGI;
> use CGI::Carp qw(fatalsToBrowser);
> use FS::Record qw(qsearch);
> use FS::CGI qw(header); 
> use FS::UID qw(cgisuidsetup);
> use FS::cust_main;
> 
> $cgi = new CGI;
> &cgisuidsetup($cgi);
> print $cgi->header('-expires' => 'now'), header('View Commission Schedules');
> print $cgi->a({-href => '/freeside'}, "Main Menu");
> print $cgi->br;
> print $cgi->br;
> 
> if(! $cgi->param()) {
>     print $cgi->startform(-method => 'post',
> 			  -action => 'commissions.cgi');
> 		   
>     print $cgi->textfield(-name => 'otaker',
> 			  -default => 'mary',
> 			  -size => 20);
>     print $cgi->br;
>     print $cgi->submit;
>     print $cgi->reset;
>     print $cgi->endform();
> 
> }
> else { 

$cgi->param('otaker') came from the user[1] so it shouldn't be trusted
until it's been untainted - checked to make sure it contains on the data
we expect it should.

Try something like this:

	$cgi->param('otaker') =~ /^(\w+)$/
	  or do_some_error_fu("Invalid otaker");
	my $otaker = $1;

Then use $otaker below instead of $cgi->param('otaker');

Take a look at the stuff in htdocs/search/ for more examples of untainting
user input in this context. 

>     print "Commission schedule for agent: " . $cgi->param('otaker');
>     print $cgi->hr;
>     print $cgi->br;
>     print $cgi->br;
>     @customers = qsearch('cust_main', {'otaker' => $cgi->param('otaker')});
>     $i = 0;
>     for $customer (@customers) {
> 	print "Customer ID: " . $customer->getfield('custnum');
> 	print ": ";
> 	print $customer->getfield('first');
> 	print " ";
> 	print $customer->getfield('last');
> 	print $cgi->br();
> 	$i++;
>     }
> 
>     print $cgi->br();
>     print "Total customers: $i";
> }
> 
> </snip>

[1] (and, perhaps even unknowingly; it's trivial to construct a link which
contains form parameters)

-- 
meow
_ivan

More information about the freeside-devel mailing list