Re: Passing a regex from a CGI HTML form

Replies are listed 'Best First'.
Re^2: Passing a regex from a CGI HTML form by Linicks (Scribe) on Aug 31, 2016 at 17:28 UTC
Thank you for the reply. It's a private page used by me and a co-worker at work to run a football competition every week for work mates. The data is scraped (manual copy 'n' paste) from a newspaper site and as the data now is produced on the fly, it is in a real mess - my code 'as is' now parses this and puts it in the format we require Now, the issue is, every week or so, they change something, and my parser breaks (which can be fixed easily when I am at home!), but I am at work, so need a way to add new subsitutions on the fly otherwise all hell breaks lose at work when the results are late! Basically, it's just a fail safe 'in case' and NO security issues at all raise their heads as it is only me doing the input :) Thanks, Nick	[reply]
Re^3: Passing a regex from a CGI HTML form by AnomalousMonk (Archbishop) on Aug 31, 2016 at 18:11 UTC
... NO security issues at all raise their heads as it is only me doing the input ... "Unfortunately, Dave, that sounds a lot like Famous Last Words." :) Give a man a fish: `<%-{-{-{-<`	[reply] [d/l]
Re^4: Passing a regex from a CGI HTML form by Linicks (Scribe) on Aug 31, 2016 at 18:24 UTC
I know what you mean, but it is only me that knows the page address (it's on the Internet, but no way can anybody know the address, let alone guess it) - let alone do the input. Nick	[reply]
Re^5: Passing a regex from a CGI HTML form by stevieb (Canon) on Aug 31, 2016 at 18:36 UTC
Re^6: Passing a regex from a CGI HTML form by Linicks (Scribe) on Aug 31, 2016 at 18:41 UTC
Some notes below your chosen depth have not been shown here
Re^3: Passing a regex from a CGI HTML form by haukex (Archbishop) on Sep 03, 2016 at 10:32 UTC
Hi Linicks, Doing an eval or `s///ee` with a value supplied by a user on an HTML form is the equivalent of giving that user shell access to the machine. You keep saying that only you know the address of the machine, but if security by obscurity is your only security, then one day, for example if your page is discovered by a crawler, that'll mean game over for your server. That's why everyone has been saying to be very careful with eval and security by obscurity, and they are right! To make one more recommendation because I don't think it's been made yet: At least throw some HTTP digest authentication on there along with the SSL. Hope this helps, -- Hauke D	[reply] [d/l]
Re^4: Passing a regex from a CGI HTML form by Linicks (Scribe) on Sep 03, 2016 at 11:15 UTC
Hi Hauke D, Thanks for the reply. I have now implimented a bit of 'magic' in the form to only allow the script to be processed if known. As to web crawlers, how can a crawler 'slurp' a page that isn't advertised anywhere? Lastly, something that nobody mentioned here - OK, using 'eval' and the like is equivalent to giving shell access, but surely it will only be as the UID/Group I run apache under? Thanks, Nick	[reply]
Re^5: Passing a regex from a CGI HTML form by haukex (Archbishop) on Sep 03, 2016 at 11:48 UTC
Re^6: Passing a regex from a CGI HTML form by Linicks (Scribe) on Sep 03, 2016 at 16:00 UTC
Re^5: Passing a regex from a CGI HTML form by Your Mother (Archbishop) on Sep 03, 2016 at 22:51 UTC


The stupid question is the question not asked
	PerlMonks