CGI qw/:standard/;

nine9 has asked for the wisdom of the Perl Monks concerning the following question:

I've got this index thing on a website of mine that works out what you want from it by getting options from the QUERY_STRING environment variable. Someone said I should be using CGI.pm to do the actual working out of the arguments for me... and someone else said I should use something called CGI qw/:standard/; ... What are they? Basically I'm afraid of someone writing something like index.pl?node=root; rm -rf in some way that gets past my parser... I want to secure against that any suggestions?

Comment on CGI qw/:standard/;

Replies are listed 'Best First'.
Re: CGI qw/:standard/; by chromatic (Archbishop) on Jan 23, 2000 at 05:30 UTC
If you're concerned about invalid or malicious data, I'd suggest also enabling Taint checking in your scripts. At the start, on the hash bang line, add -T: #!/usr/bin/perl -wT That will cause the interpreter to see if you're interpreting any user data insecurely. It won't catch everything, but it will catch some nasty things. Also, CGI takes most of the work out of handling CGI stuff. You'll probably love it once you figure it out.	[reply]
Re: CGI qw/:standard/; by Anonymous Monk on Jan 06, 2000 at 00:10 UTC
The CGI qw/:standard/ just imports the functions and variables that CGI.pm lumps in the "standard" export group. That includes things like cookie(), header(), param(), blah blah blah. Using CGI.pm and param() is a nice, easy way to get to the args passed to your program. Just instantiate a CGI object ($cur_cgi = CGI->new()) and use the param method with the name of arg you want to grab. `IOW: $arg = $cur_cgi->param('arg_name'); # grabs from GET and POST as +necessary` [download] Of course, this only works really well when you know what args you'll be looking for. If you need something more dynamic, stick with parsing the QUERY_STRING in the way that best suits you.	[reply] [d/l]


go ahead... be a heretic
	PerlMonks