in reply to Web Security
Is there really that lack of clues out there? I don't know whether to be more scared or saddened.
Unfortunately, yes there is. Code like this, and worse, is used everywhere. And it's often very easy to find, even without the code. There are a lot of domain name providers that have whois lookup scripts to check if a certain domain is available. Many of those use qx// with raw, unparsed (and apparently never tainted) user input. Strangely, the domain perl.com; echo 'No match for "PERL.COM".' often is available.
Size of the company seems not to matter. Small and large companies both have incompetent coders. I am saddened, but a bit scared too. Maybe Perl should be harder, to avoid clueless people from coding without reading documentation?
- Yes, I reinvent wheels.
- Spam: Visit eurotraQ.