http://qs321.pair.com?node_id=155709

Fingo has asked for the wisdom of the Perl Monks concerning the following question:

I am working on a site based on the CGI.pm module which will allow a large amount of user interaction. What are some techniques for securing against hackers? Are there any good reasources on the web or in print that I should read?



Thanks,

	Max

2002-04-01 Edit by Corion : Tamed the runaway pre tag

Replies are listed 'Best First'.
Re: Securing CGI scripts
by rob_au (Abbot) on Apr 01, 2002 at 05:45 UTC
[reply]
Re: Securing CGI scripts
by grep (Monsignor) on Apr 01, 2002 at 05:33 UTC
[reply]
(podmaster) Re: Securing CGI scripts
by PodMaster (Abbot) on Apr 01, 2002 at 06:50 UTC
[reply]
Re: Securing CGI scripts
by cjf (Parson) on Apr 01, 2002 at 10:22 UTC

    The Essential CGI Security Practices thread gives a good overview of... Essential CGI Security Practices ;-). Make sure to read all the replies in the thread as well.

[reply]
Re: Securing CGI scripts
by Sinister (Friar) on Apr 01, 2002 at 14:57 UTC
    One of the more simple tricks, of the base security features is running perl with the -T switch (which means perlTaint on.) This forces you to have your programs review all input, whenever it is going to do something (d/r)isky ;^)

    er formait hyarya.
    "Field experience is something you don't get until just after you need it."
[reply]
Re: Securing CGI scripts
by brianarn (Chaplain) on Apr 01, 2002 at 19:26 UTC
    I do like a lot of the online resources, including Ovid's tutorial, but sometimes I'm really pedantic and like to have an actual book in front of me.

    I'd recommend CGI Programming with Perl, 2nd Ed from O'reilly (please forgive me, but I can't remember the author ATM). Chapter 9 is about security, including taint checking with -T. It also gives some great general advice, and demonstrates various styles of creating your CGI scripts (such as using the CGI module via a functional or OOP style interface, or having CGI generate your HTML versus using a here doc)

    ~Brian
[reply]
[d/l]

Back to Seekers of Perl Wisdom