Your skill will accomplish what the force of many cannot |
|
PerlMonks |
Re: Re: Web form securityby Masem (Monsignor) |
on Jul 30, 2001 at 18:52 UTC ( [id://100889]=note: print w/replies, xml ) | Need Help?? |
There's still danger in this, even if it's not through perl internals.
Say I have variable $chargecustomerscard which, later in the code, which actually does the monetary processing in my script. Normally, this variable is only set after the status is determined from a database query, cookie checks, etc. Certainly this variable name is sufficiently hidden from the end user since they can't see the script. But if a more malicious user were to discover that this variable exists, and that one is populating the variable space by the methods used here, then that user could easily "overwrite" the correct value of that variable just by generating the right URL request, and cause numerous problems. It's nearly always better to explicitly define what you are looking for than to exclude the cases you don't want to look for when it comes to security in this fashion.
-----------------------------------------------------
In Section
Seekers of Perl Wisdom
|
|