Re^5: CGI recipient Option


There's more than one way to do things
	PerlMonks

Re^5: CGI recipient Option

by iburrell (Chaplain)

on Sep 02, 2004 at 16:35 UTC ( #387983=note: print w/replies, xml )

Need Help??

in reply to Re^4: CGI recipient Option
in thread CGI recipient Option

Unfornately, hardcoded values in the form are just as insecure as regular form values. There are two ways to attack a script. One is to put values in the form; hidden fields are safe from this. The other is to construct a fake POST after looking at the form. This is easy to do, and any value can be passed for any form field.

If you can, hardcoding the values in the script or a config file is much safer. You might not be able to if the values depend on which page is doing the calling, or is coming from a select box.

With fixed form fields, your validation job is easier. You know exactly what values are present in the page and what their format is. You don't need to accept input from people who will enter all kinds of stuff. You don't have to worry about nice error message. If there is an illegal value in a hidden form field, either there is a bug or someone is making an attack.

Comment on Re^5: CGI recipient Option

In Section Seekers of Perl Wisdom

Domain Nodelet^?

www.com | www.net | www.org

Node Status^?

node history
Node Type: note [id://387983]
help

Chatterbox^?

How do I use this? • Last hour • Other CB clients

Other Users^?

Others lurking in the Monastery: (6)

As of 2023-11-29 11:40 GMT

Sections^?

Information^?

Find Nodes^?

Leftovers^?

Voting Booth^?

No recent polls found

Notices^?