On Thursday 26 February 2004 23:13, Martin Stannard wrote:
> Hi Martin,
> The source for cgi.rb is a good place to start I found.

fair point - I have looked at it - which is why I asked the questions about 
why it returns Tempfile/StringIO for an <input type="text">.  I still think 
it is logical to return a string here - keep the Tempfile for an actual file.

> Can't you tell by the name of the parameter? If you're naming them then
> you should know what to expect. Anyway it doesn't matter cause you treat
> them exactly the same. See pt 4 below.

not really - I was planning on writing some generic code that handles files 
separately from String values (at a level where it does not know the names of 
the incoming parameters) ...

each parameter
	if parameter is an uploaded file
		copy file to known location
		pass filename to cgi script
	else
		pass value to cgi script
	end
end

my plan was to isolate the problems that have been reported on the list by 
having my generic code not need to know that it is receiving a multipart or 
normal form.  Patrick May posted an RCR (ruby-talk #35858) which moves 
towards this - although it doesn't fully work with the new StringIO stuff - 
it has provided some ideas.

I'll keep playing - but as has been pointed out to me off-list, the CGI 
library does have vulnerability to a DoS attack that makes it not really 
suitable for production. (ruby-talk#83725).  From reading cgi.rb I don't 
think that this has been patched yet.

I'll move away from cgi.rb for the time being, thanks to everybody for the 
help.

Cheers,
Martin