Re: CGI (in)security


Keep It Simple, Stupid
	PerlMonks

Re: CGI (in)security

by Tomte (Priest)

on Jun 15, 2004 at 12:27 UTC ( [id://366852]=note: print w/replies, xml )

Need Help??

in reply to CGI (in)security

points 1 to 3 are sensible, sane and recommended things to do, well done :D

regarding point 4:
I'd say move them away to a place outside the actual web-directory like /usr/home/lib/perl/site_perl/5.X.Y/ or somesuch. At least protect the directory against direct access in your webserver configuration.

regarding point 6:
To prevent sql-injection and sub-shell-exploits: use prepared-sql-statements with placeholders and untaint cgi-parameters you'll use in system (shell) calls to only allow whats necessary parameter for parameter, not with a generell rule! Using your approach, perfectly normal text I enter might look like I'm trying to be an 31337 h4x0r -- not really a good idea...

Edit: Updated numbering according to OPs editing

regards,
tomte

An intellectual is someone whose mind watches itself.
-- Albert Camus

Comment on Re: CGI (in)security Download Code

Replies are listed 'Best First'.
Re^2: CGI (in)security by kiat (Vicar) on Jun 15, 2004 at 12:34 UTC
Thanks tomte! I'm using a shared server so I don't have the privilege of moving the Perl modules to the location you suggested. As for sql injection prevention, what you said is very true. It's something I'm just learning to do so I'm not quite certain what my options are, hence the reason why I'm taking those 'desperate' measures. But I'll try hard to put your advice to use :)	[reply]

In Section Seekers of Perl Wisdom

Domain Nodelet^?

www.com | www.net | www.org

Node Status^?

node history
Node Type: note [id://366852]
help

Chatterbox^?

How do I use this? • Last hour • Other CB clients

Other Users^?

Others chanting in the Monastery: (2)

As of 2024-04-25 21:11 GMT

Sections^?

Information^?

Find Nodes^?

Leftovers^?

Today I Learned

Voting Booth^?

No recent polls found