Beefy Boxes and Bandwidth Generously Provided by pair Networks
Problems? Is your data what you think it is?
 
PerlMonks  

Re: 3Re: HTML::Template, CGI - concatenating strings & variables

by Lori713 (Pilgrim)
on Nov 17, 2003 at 20:15 UTC ( [id://307813]=note: print w/replies, xml ) Need Help??


in reply to 3Re: HTML::Template, CGI - concatenating strings & variables
in thread HTML::Template, CGI - concatenating strings & variables

I see what you mean by error checking first. As it turns out, the $rpt_id variable is actually set by the value of the radio button that is clicked; the user doesn't actually do anything but click on the radio button to indicate which report they want.

I am especially appreciative of your help/comments/suggestions about how to improve my code with regards to security. This is a big concern to me since I'm new at this. I've already received an agreement from our dba's to review my code for security holes after I get my initial draft completed, but it's nice to get the holes filled before showing it to them!

Thanks!

Lori

  • Comment on Re: 3Re: HTML::Template, CGI - concatenating strings & variables

Replies are listed 'Best First'.
5Re: HTML::Template, CGI - concatenating strings & variables
by jeffa (Bishop) on Nov 17, 2003 at 20:20 UTC

    "... the user doesn't actually do anything but click on the radio button to indicate which report they want.

    Even though you "narrow the choices" on the interface, the user doesn't have to use the interface. Instead they could submit a GET query directly: 

    # contrived example
http://foo.com/cgi-bin/form.cgi?rpt_id=../../../etc/password

    [download]
    or use a web bot, etc. Even though 99% of the people don't know about this, the 1% that does is 100% of the devious people you need to worry about. ;)

    Cheers :)

    jeffa

    L-LL-L--L-LL-L--L-LL-L--
-R--R-RR-R--R-RR-R--R-RR
B--B--B--B--B--B--B--B--
H---H---H---H---H---H---
(the triplet paradiddle with high-hat)
[reply]
[d/l]
      I've tried putting "-T" on the shebang line, but then I get error messages saying it can't "find HTML::Template in @INC blah blah blah..."

      Did I misunderstand how to set up taint checking in the .pl scripts?

      Lori

[reply]
Re: Re: 3Re: HTML::Template, CGI - concatenating strings & variables
by jgallagher (Pilgrim) on Nov 17, 2003 at 20:26 UTC
    Keep in mind that just because you have radio buttons laid out with specific id numbers doesn't mean the user has to actually use those; there's nothing preventing them from manually setting rcpt_id to "/etc/passwd", for example. In short, never, ever trust user input; always check it as shown above.
[reply]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://307813]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others goofing around in the Monastery: (7)
As of 2024-04-23 13:20 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found