|Syntactic Confectionery Delight|
How do I make sure users can't enter values into a form that cause my CGI script to do bad things?by vroom (Pope)
|on Oct 08, 1999 at 00:32 UTC||Need Help??|
Current Perl documentation can be found at perldoc.perl.org.
Here is our local, out-dated (pre-5.6) version:
Read the CGI security FAQ, at http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html, and the Perl/CGI FAQ at http://www.perl.com/CPAN/doc/FAQs/cgi/perl-cgi-faq.html.
In brief: use tainting (see the perlsec manpage), which makes sure that data from outside your script (eg,
CGI parameters) are never used in
eval or system calls. In addition to tainting, never use the single-argument form of