Beefy Boxes and Bandwidth Generously Provided by pair Networks
Problems? Is your data what you think it is?
 
PerlMonks  

How do I make sure users can't enter values into a form that cause my CGI script to do bad things?

by vroom (Pope)
on Oct 08, 1999 at 00:32 UTC ( #768=perlfaq nodetype: print w/replies, xml ) Need Help??

Current Perl documentation can be found at perldoc.perl.org.

Here is our local, out-dated (pre-5.6) version:

Read the CGI security FAQ, at http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html, and the Perl/CGI FAQ at http://www.perl.com/CPAN/doc/FAQs/cgi/perl-cgi-faq.html.

In brief: use tainting (see the perlsec manpage), which makes sure that data from outside your script (eg, CGI parameters) are never used in eval or system calls. In addition to tainting, never use the single-argument form of system() or exec(). Instead, supply the command and arguments as a list, which prevents shell globbing.

Log In?
Username:
Password:

What's my password?
Create A New User
Chatterbox?
[Corion]: Ouch. I just learned something about Chrome - the "version numbers" are not really feature numbers... Chrome 62 still gets new features even though Chrome 64 is out and Chrome 65 is the dev version
[erix]: why ouch? Something to be said for that ,surely?
LanX is a dev version
[marto]: That reminds me, I made some notes somewhere with regard W::M::C, I'll get round to a PR when I've time to flesh it out
[Corion]: erix: But that makes for fun bug hunting. "What version of Chrome are you running?" "v62". "I also run v62 and it works on my machine". :-(
[Corion]: marto: Great, looking forward to the PR!
LanX wonders, do we have a rule against systematic down voting?

How do I use this? | Other CB clients
Other Users?
Others about the Monastery: (9)
As of 2017-12-12 20:13 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    What programming language do you hate the most?




















    Results (335 votes). Check out past polls.

    Notices?