/* Name.c
   Author:   Howard Seltman
   Date:     7 March 2007
   Purpose:  General html form to text database utility
   Compile:  cc -Wall -ocgiwrite cgiwrite.c 
   CGI names are whatever you want (up to 50 of them) plus "dbname" and optionally "returnURL".
   Test Usage: echo "a=factor&d=analysis&dbname=mydb.txt" | cgiwrite
   Debug Usage: #define TESTLINE ---
   HTML Usage: 
   <form method=post action="URL-OF-YOUR-CGI-DIRECTORY/cgiwrite">
   <h2>Data collection for foobar</h2></a>
   <b> Foo information: </b>
   <p> Name: <input name="fooname" type=text size="20"> 
       Size: <input name="foosize" type=text size="10"></p>
   <p> Bar information </b>
   <p> Name: <input name="barname" type=text size="20">
       Size: <input name="barsize" type=text size="10"></p>
       <input name="dbname" type=hidden value="FooBar.txt">
       <input name="returnURL" type=hidden value="http://www.stat.cmu.edu/">
   <p> <input type=submit> <input type=reset></p>
   </form>


   Setup in Unix/Linux (for security reasons):
   In the cgi directory, edit or create dbPermissions.txt.  Each line is
   the name of a "database" file, then a space, then the maximum number of
   bytes allowed (to prevent evildoers from overloading your file system).
   Then create the empty database (say FooBar.txt) with a command like
   "touch FooBar.txt" followed by "chmod g+w FooBar.txt".  For privacy,
   also do "chmod g-r FooBar.txt".

   Additional hidden field allowed: <input name="IP" type=hidden value="IP">
   will cause IP address of submitter to go into the database.

   Additional hidden field allowed: <input name="Timestamp" type=hidden value="TS">
   will cause a timestamp to go into the database.

   Additional hidden field allowed: <input name="redirect" type=hidden value="http://YOUR-URL">
   will cause a successful data submission to jump directly to this web page.

   Change defines below if you want more than 2048 characters total input per
   form or 512 per field or 50 fields.
*/

#include <stdio.h>
#include <stdlib.h>
#include <malloc.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <time.h>
#include <errno.h>
#include <string.h>
#include <ctype.h>
#define LINE_LEN 2048
#define ITEM_LEN 512
#define MAX_FIELDS 50
#define xtod(c) ((c>='0' && c<='9')?c-'0':((tolower(c)>='a' && \
                 tolower(c)<='f')?tolower(c)-'a'+10:0))
#define DEFAULT_RETURN_URL "http://www.stat.cmu.edu/"
#define PERMISSIONS "dbPermissions.txt"
#define TIME_MAX 60

/*#define TESTLINE "a=factor&d=analysis&dbname=mydb.txt&Timestamp=TS"*/

int main(int argc, char **argv, char **environ) {
  char line[LINE_LEN], dbname[LINE_LEN]="", returnURL[LINE_LEN]="", redirect[LINE_LEN]="";
  char *atozfields[MAX_FIELDS];
  char *pc, *pcr, *pcw, *pcip;
  int len;
  FILE *db;
  int i, itmp, incount=0;
  int maxbytes=0, filebytes=0, addbytes;
  struct stat statbuf;
  struct tm *tmptr;
  time_t tm;
  char timestring[TIME_MAX];


  /* allocated a to z space */
  if ((atozfields[0]=malloc(sizeof(char)*MAX_FIELDS*ITEM_LEN))==0) {
    printf("Content-type: text/html\n\n");
    printf("<html>\n<body>\nError: Can't allocate enough memory.\n<\\body>\n<\\html>\n");
    printf("<p><a href=\"%s\">Stat Home</a>\n", DEFAULT_RETURN_URL);
    return EXIT_FAILURE;
  }
  for (i=0; i<MAX_FIELDS; i++) {
    atozfields[i]=atozfields[0]+i*ITEM_LEN;
    atozfields[i][0]='\0';
  }
 
  /* Parse CGI input line, e.g. a=Howard&b=&g=faculty&dbname=mydb.txt */
  /* To test outside of cgi/HTML, define e.g. TESTLINE "a=Howard&b=&g=fac&dbname=mydb.txt" */
  #if (defined(TESTLINE))
    strncpy(line,TESTLINE,LINE_LEN);
    line[LINE_LEN-1]='\0';
  #else
    fgets(line,LINE_LEN,stdin);
  #endif

  /* load inputs a-z and dbname and optional return link, returnURL */
  pc=strtok(line,"&");
  while (pc!=0) {
    /* convert weird HTML codes to ASCII */
    pcw=pcr=pc;
    while (*pcr!='\0') {
      if (*pcr=='+' || *pcr=='\n' || *pcr=='\r') {
        *pcw++=' ';
        pcr++;
        continue;
      }
      if (*pcr=='%' && isxdigit(pcr[1]) && isxdigit(pcr[2])) {
        itmp=(16*xtod(pcr[1])+xtod(pcr[2]));
        if (itmp==10 || itmp==13) {   /* LF or CR */
          *pcw++=' ';
        } else {     
          *pcw++=(char)itmp;
        }
        pcr+=3;
        continue;
      }
      *pcw++=*pcr++;
    }
    *pcw='\0';

    len=strlen(pc);
    if (strncmp(pc,"dbname=",7)==0 && len>7) {
      strncpy(dbname,pc+7,LINE_LEN);
      dbname[LINE_LEN-1]='\0';
    } else if (strncmp(pc,"returnURL=",10)==0 && len>10) {
      strncpy(returnURL,pc+10,LINE_LEN);
      returnURL[LINE_LEN-1]='\0';
    } else if (strncmp(pc,"redirect=",9)==0 && len>9) {
      strncpy(redirect,pc+9,LINE_LEN);
      redirect[LINE_LEN-1]='\0';
    } else {
      if (incount<MAX_FIELDS) {
        strncpy(atozfields[incount],pc,ITEM_LEN);
        atozfields[incount][ITEM_LEN-1]='\0';
        if (strcmp(atozfields[incount],"IP=IP")==0) {
          pcip=getenv("REMOTE_ADDR");
          if (pcip==0) {
            strcpy(atozfields[incount]+3,"?");
          } else {
            strncpy(atozfields[incount]+3,pcip,ITEM_LEN-4);
          }
        } else if (strcmp(atozfields[incount],"Timestamp=TS")==0) {
          tm=time(NULL);
          tmptr=localtime(&tm);
          strftime(timestring, TIME_MAX-1, "%a %b %d %Y %R", tmptr);
          strncpy(atozfields[incount]+10,timestring,ITEM_LEN-11);
        }
        incount++;
      } else {
        printf("lost data: %s.\n<p>\n", pc);
      }
    }
    pc=strtok(0,"&");
  } 

  if (returnURL[0]=='\0') {
    strncpy(returnURL,DEFAULT_RETURN_URL,ITEM_LEN);
    returnURL[ITEM_LEN-1]='\0';
  }
  if (dbname[0]=='\0') {
    printf("Content-type: text/html\n\n");
    printf("dbname not specified in HTML.\n<p>\n");
    printf("<p><a href=\"%s\">Return</a>\n", returnURL);
    return EXIT_FAILURE;
  }


  /* Check permissions */
  if ((db=fopen(PERMISSIONS,"r"))==NULL) {
    printf("Content-type: text/html\n\n");
    printf("Error: Can't open permissions file.\n<p>\n");
    printf("<p><a href=\"%s\">Return</a>\n", returnURL);
    return EXIT_FAILURE;
  }
  len=strlen(dbname);
  while (!feof(db)) {
    if (fgets(line, LINE_LEN, db)==0) break;
    if (strncmp(dbname,line,len)!=0) continue;
    if (strlen(line)<len+2 || line[len]!=' ') continue;
    maxbytes=atoi(line+len+1);
    break;
  }
  fclose(db);
  if (maxbytes==0) {
    printf("Content-type: text/html\n\n");
    printf("Error: No permission to write file %s.\n<p>\n", dbname);
    printf("<p><a href=\"%s\">Return</a>\n", returnURL);
    return EXIT_FAILURE;
  }

  /* Check length (and existence) of output db */
  i=stat(dbname, &statbuf);
  if (i!=0) {
    if (errno != ENOENT) {
      printf("Content-type: text/html\n\n");
      printf("Error: No permission to write file %s.\n<p>\n", dbname);
      printf("<p><a href=\"%s\">Return</a>\n", returnURL);
      return EXIT_FAILURE;
    }
  } else {
    filebytes=(int)statbuf.st_size;
  }
  if (filebytes>maxbytes) {
    printf("Content-type: text/html\n\n");
    printf("Error: database %s is full.\n<p>\n", dbname);
    printf("<p><a href=\"%s\">Return</a>\n", returnURL);
    return EXIT_FAILURE;
  }

  /* Open db */
  if ((db=fopen(dbname,"a"))==NULL) {
    printf("Content-type: text/html\n\n");
    printf("Error: Can't open database %s.\n<p>\n", dbname);
    printf("<p><a href=\"%s\">Return</a>\n", returnURL);
    return EXIT_FAILURE;
  }

  /* Write data in db */
  for (i=0; i<incount; i++) addbytes+=strlen(atozfields[i]);
  if (filebytes+addbytes<maxbytes) {
    for (i=0; i<incount; i++) fprintf(db, "%s\n", atozfields[i]);
  } else {
    printf("Content-type: text/html\n\n");
    printf("<title>Sorry</title>\n");
    printf("<h1>Sorry, your data was not saved; %s is at maximum size</h1>",dbname);
    printf("<p><a href=\"%s\">Return</a>\n", returnURL);
    fclose(db);
    return EXIT_FAILURE;
  }
  fprintf(db, "\n");
  fclose(db);


  /* write HTML  */
  if (redirect[0]=='\0') {
    printf("Content-type: text/html\n\n");
    printf("<title>Thank you</title>\n");
    printf("<h1>Thank you for submitting your data</h1>");
    printf("<p><a href=\"%s\">Return</a>\n", returnURL);
  } else {
    printf("Location: %s\n\n", redirect);
  }

 
  return EXIT_SUCCESS;
}