Beefy Boxes and Bandwidth Generously Provided by pair Networks
laziness, impatience, and hubris
 
PerlMonks  

How do I make sure users can't enter values into a form that cause my CGI script to do bad things?

by vroom (Pope)
on Oct 08, 1999 at 00:32 UTC ( #768=perlfaq nodetype: print w/replies, xml ) Need Help??

Current Perl documentation can be found at perldoc.perl.org.

Here is our local, out-dated (pre-5.6) version:

Read the CGI security FAQ, at http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html, and the Perl/CGI FAQ at http://www.perl.com/CPAN/doc/FAQs/cgi/perl-cgi-faq.html.

In brief: use tainting (see the perlsec manpage), which makes sure that data from outside your script (eg, CGI parameters) are never used in eval or system calls. In addition to tainting, never use the single-argument form of system() or exec(). Instead, supply the command and arguments as a list, which prevents shell globbing.

Log In?
Username:
Password:

What's my password?
Create A New User
Chatterbox?
[GrandFather]: It's either lines that your browser won't split (no white space) or nodes with <pre> tags which ought to be code tags
[GrandFather]: I haven't noticed the problem for a while, but it can be hard to find the nasty node. If you do find it, consider it and with luck a janitor will fix it

How do I use this? | Other CB clients
Other Users?
Others lurking in the Monastery: (5)
As of 2017-05-24 01:01 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?