--- sql2xls.cgi	2008/11/03 20:32:44	13
+++ sql2xls.cgi	2008/11/03 22:26:57	18
@@ -8,19 +8,19 @@
 
 =head1 USAGE
 
-Each file in current directory which ends in C<< *.sql >> will
+Each file in current directory which ends in C<*.sql> will
 be converted to Excel sheet. If you want to have specific order, you can
 prefix filenames with numbers which will be striped when creating sheet
 names.
 
-Comments in sql files (lines beginning with --) will be placed
+Comments in sql files (lines beginning with C<-->) will be placed
 in first line in bold.
 
 To specify database on which SQL query is executed
-C<< \c database >> syntax is supported.
+C<\c database> syntax is supported.
 
 You can also run script from command line, and it will produce
-C<< sql_reports.xls >> file.
+C<sql_reports.xls> file.
 
 If run within directory, it will use files in it to produce file.
 
@@ -39,9 +39,28 @@
 
 in Apache's virtual host configuration to get nice URLs
 
+To configure default database, user, password and other settings create
+C<config.pl> file in same directory in which C<sql2xls.cgi> is with something
+like this:
+
+  $dsn      = 'DBI:mysql:dbname=';
+  $database = 'database';
+  $user     = 'user';
+  $passwd   = 'password';
+  $path     = 'sql_reports.xls';
+
+  $db_encoding     = 'utf-8';
+  $xls_date_format = 'dd.mm.yyyy';
+
+  $debug = 1;
+
+=head1 SECURITY
+
+There is none. Use apache auth modules if you need it.
+
 =head1 AUTHOR
 
-Dobrica Pavlinusic, dpavlin@rot13.org
+Dobrica Pavlinusic, dpavlin@rot13.org, L<http://svn.rot13.org/index.cgi/SQL2XLS/>
 
 =cut
 
@@ -66,15 +85,21 @@
 my $sql_dir = $ENV{SCRIPT_FILENAME} || '.';
 $sql_dir =~ s,/[^/]+$,,;
 
-my $config_path = "$sql_dir/config.pl";
-warn "# using $config_path\n";
-require $config_path if -e $config_path;
+sub require_config {
+	my $config_path = $1 if "$sql_dir/config.pl" =~ m/^(.+)$/; # untaint
+	warn "# using $config_path\n";
+	require $config_path if -e $config_path;
+}
+
+require_config;
 
 my $reports_path = $ENV{PATH_INFO};
 $reports_path =~ s/\.\.//g; # some protection against path exploits
 $reports_path ||= shift @ARGV; # for CLI invocation
 $sql_dir .= "/$reports_path" if -e "$sql_dir/$reports_path";
 
+require_config;
+
 warn "# reading SQL queries from $sql_dir\n" if $debug;
 
 opendir(DIR, $sql_dir) || die "can't opendir $sql_dir: $!";
@@ -97,6 +122,7 @@
 my $dbh = DBI->connect($dsn . $database,$user,$passwd, { RaiseError => 1, AutoCommit => 0 }) || die $DBI::errstr;
 
 sub _c {
+	return shift unless $db_encoding;
 	return decode( $db_encoding, shift );
 }