Beefy Boxes and Bandwidth Generously Provided by pair Networks
Pathologically Eclectic Rubbish Lister
 
PerlMonks  

importing CGI parameters (boo)

by boo_radley (Parson)
on Jul 30, 2001 at 18:59 UTC ( [id://100891]=note: print w/replies, xml ) Need Help??


in reply to Web form security

Your method of importing variables is maybe not the best way to go about things. from CGI's POD :
IMPORTING ALL PARAMETERS INTO A NAMESPACE: $query->import_names('R'); This creates a series of variables in the 'R' namespace. For example, $R::foo, @R:foo. For keyword lists, a variable @R::keywords will appear. If no namespace is given, this method will assume 'Q'. WARNING: don't import anything into 'main'; this is a major security risk!!!! In older versions, this method was called import(). As of version 2.20, this name has been removed completely to avoid conflict with the built-in Perl module import operator.
And, looking in CGI's source code (v. 2.74), we see the following inside of import_name : 
    # protect against silly names
    ($var = $param)=~tr/a-zA-Z0-9_/_/c;
    $var =~ s/^(?=\d)/_/;

[download]
which will only check the validity of the parameter's name; its value may still be malicious in some fashion. See perlsec for more on dealing with this type of 'tainted' data.

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://100891]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others drinking their drinks and smoking their pipes about the Monastery: (4)
As of 2024-04-23 22:47 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found