comment on

There's still danger in this, even if it's not through perl internals.

Say I have variable $chargecustomerscard which, later in the code, which actually does the monetary processing in my script. Normally, this variable is only set after the status is determined from a database query, cookie checks, etc.

Certainly this variable name is sufficiently hidden from the end user since they can't see the script. But if a more malicious user were to discover that this variable exists, and that one is populating the variable space by the methods used here, then that user could easily "overwrite" the correct value of that variable just by generating the right URL request, and cause numerous problems.

It's nearly always better to explicitly define what you are looking for than to exclude the cases you don't want to look for when it comes to security in this fashion.

-----------------------------------------------------
Dr. Michael K. Neylon - mneylon-pm@masemware.com || "You've left the lens cap of your mind on again, Pinky" - The Brain

In reply to Re: Re: Web form security by Masem
in thread Web form security by earthboundmisfit

Are you posting in the right place? Check out Where do I post X? to know for sure.
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
Want more info? How to link or How to display code and escape characters are good places to start.


more useful options
	PerlMonks