As already mentioned by someone who posted as Anonymous Monk, merlyn wrote an article, along with an example script (like always), on the best (and only) way cookies should be used (if they need to be used at all). Here's the article, which contains good advice and suggestions. Obey what you read here :)
Good article. Thanks, Merlyn! In this case, I'm using hidden form fields instead of cookies, cause I hate cookies and they're hard to handle.
That being said, definitely don't trust anything you get from the client...All data should be contained within a database, including prices (do NOT put prices in hidden html fields), all contact info, and anything else you can possibly think of.
Prices are in a Perl data structure that's refreshed every time one of the constituent scripts is accessed. Everything else is in a session DBM.
Also, make sure you expire the session from the database after a reasonable amount of inactivity. What is 'reasonable' is up to you, but don't leave inactive sessions around for too long, unless you want these picked up by somebody other than the original session creater :)
Done.
More from a view of making things work the way you expect, rather than security (but security can always hold a place in these things), is making sure the data you are being forced to receive from the client is the data you are expecting. What if a user tells your script they want 0.5 pairs of shoes?
if($q->param("$name:copies") =~ /^\d+$/) {
Are there any non-obvious security-related tips (i.e. besides "use taint checks well" and "encrypt credit card numbers" ...
Um... encrypting credit card numbers? No. Just don't do it. Don't even save the shopper's credit card number in your database
I was speaking about client-to-server. The (still encrypted) credit card number is e-mailed to the order-processing people; once they've processed it, all electronic data about the order is destroyed.
=cut
--Brent Dax
There is no sig.
-
Are you posting in the right place? Check out Where do I post X? to know for sure.
-
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big>
<blockquote> <br /> <dd>
<dl> <dt> <em> <font>
<h1> <h2> <h3> <h4>
<h5> <h6> <hr /> <i>
<li> <nbsp> <ol> <p>
<small> <strike> <strong>
<sub> <sup> <table>
<td> <th> <tr> <tt>
<u> <ul>
-
Snippets of code should be wrapped in
<code> tags not
<pre> tags. In fact, <pre>
tags should generally be avoided. If they must
be used, extreme care should be
taken to ensure that their contents do not
have long lines (<70 chars), in order to prevent
horizontal scrolling (and possible janitor
intervention).
-
Want more info? How to link
or How to display code and escape characters
are good places to start.
|
