Contributed by kiat
on Jan 22, 2002 at 19:06 UTC
Q&A
> CGI programming
Description: Hi,
I understand that it's possble to save a html form from the website and alter the values in the form. Examples of values that can be modified are textfield values or hidden values. In doing, the person can modify the behaviour of the CGI script to his desires. How can a CGI script be written so that it can detect whether it is called directly from the server or via the person's computer (of course, the script would still be called from the server)? If this is not possible, what safeguards are there to prevent such a scenario?
Thanks in anticipation :)
kiat Answer: Modiying values in html form
contributed by Biker You must verify that all 'important' values are 'reasonable' when they come up to your .cgi application.
For instance, the price for an article that the visitor is going to buy should not be stored on the client side. Or at least, your .cgi application should not use it. Because a smart(?) client could change it and buy your product for 1 cent. Or for -100 dollars. (Hup! Will you send the money with the product? :-)
Some basic rules of thumb:
- Almost anything provided by the visitor may be stored in the visitors browser.
- Anything provided by your site cannot be trusted if it's been down to the client. You must verify and check it again. (Like using the price from your database, not from the client browser.)
- If you want to give the visitor some sort of safety, like using a password or such, it will become even more complicated.
Best regards
Biker
| Answer: Modiying values in html form
contributed by gav^ You have several options:
- You can use $ENV{HTTP_REFERER} (or more simpler $cgi->referer) to make sure that your script is being submitted from the right place.
- You could do a MD5 checksum of all the hidden fields to makre sure they haven't changed
- You could use something like CGI::EncryptForm to encrypt the data so it can't be changed
- You could not store anything in hidden fields and use sessions instead (see Apache::Session)
You definatly don't want to accept things like prices from form fields (I know of one major e-commerce system that does).
Hope this helps.
gav^
| Answer: Modiying values in html form
contributed by drinkd Basically, a script to programatically read/write web pages is just a custom browser. The whole idea of the www client/server model is that any kind of browser can be used and the server doesn't know beans, except what the client tells it. As such, what you say is impossible. That being said, there is a number of loopholes that you can use. merlyn (of course), for example, has an article that shows how to make life hard for robot scripts proporting to be real-life browsing people by showing a picture of a random number or word and making the browser person type in what they see. There are other ways to make it hard but not impossible for scripts to pretend to be people browsing. LOL drinkd |
Please (register and) log in if you wish to add an answer
Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
Read Where should I post X? if you're not absolutely sure you're posting in the right place.
Please read these before you post! —
Posts may use any of the Perl Monks Approved HTML tags:
- a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
Outside of code tags, you may need to use entities for some characters:
| |
For: |
|
Use: |
| & | | & |
| < | | < |
| > | | > |
| [ | | [ |
| ] | | ] |
Link using PerlMonks shortcuts! What shortcuts can I use for linking?
See Writeup Formatting Tips and other pages linked from there for more info.
|
|
