Beefy Boxes and Bandwidth Generously Provided by pair Networks
Clear questions and runnable code
get the best and fastest answer
 
PerlMonks  

Re: Web form security

by Masem (Monsignor)
on Jul 30, 2001 at 17:18 UTC ( [id://100852]=note: print w/replies, xml ) Need Help??


in reply to Web form security

When writing anything bound for CGI use, you should invoke it with the -T (taint) option, as it will tell you what data has been presented by the user, and which operations will be potentally bad (such as what you have above).

CGI.pm has no provisions for this, as it highly recommends staying to the param() function.

A better solution in your case is to create an array of allowed variable names, and then only read variable names from the form that are in this group, eg: 

my @safe_vars = qw( name address phone age );
...
@names = $q->param;
foreach $name(@names){
    if ( grep { $_ eq $name } @safe_vars ) {
        $$name=$q->param($name);
        #print $name, ': ', $$name, '<BR>';
    }
}

[download]
(TMTOWTDI, of course, but the general idea is there).

-----------------------------------------------------
Dr. Michael K. Neylon - mneylon-pm@masemware.com || "You've left the lens cap of your mind on again, Pinky" - The Brain

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://100852]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others contemplating the Monastery: (5)
As of 2024-04-19 13:23 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found