! Aware to Perl: How do I make sure users can't enter values into a form that cause my CGI script to do bad things?

RocketAware > Perl >

How do I make sure users can't enter values into a form that cause my CGI script to do bad things?

Tips: Browse or Search all pages for efficient awareness of Perl functions, operators, and FAQs.

Home

Search Perl pages

Subjects

By activity
Professions, Sciences, Humanities, Business, ...

User Interface
Text-based, GUI, Audio, Video, Keyboards, Mouse, Images,...

Text Strings
Conversions, tests, processing, manipulation,...

Math
Integer, Floating point, Matrix, Statistics, Boolean, ...

Processing
Algorithms, Memory, Process control, Debugging, ...

Stored Data
Data storage, Integrity, Encryption, Compression, ...

Communications
Networks, protocols, Interprocess, Remote, Client Server, ...

Hard World
Timing, Calendar and Clock, Audio, Video, Printer, Controls...

File System
Management, Filtering, File & Directory access, Viewers, ...

How do I make sure users can't enter values into a form that cause my CGI script to do bad things?

Read the CGI security FAQ, at http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html, and the Perl/CGI FAQ at http://www.perl.com/CPAN/doc/FAQs/cgi/perl-cgi-faq.html.

In brief: use tainting (see the perlsec manpage), which makes sure that data from outside your script (eg, CGI parameters) are never used in eval or system calls. In addition to tainting, never use the single-argument form of system() or exec(). Instead, supply the command and arguments as a list, which prevents shell globbing.

Source: Perl FAQ: Networking
Copyright: Copyright (c) 1997 Tom Christiansen and Nathan Torkington.

Next: How do I parse an email header?

Previous: How do I edit my .htpasswd and .htgroup files with Perl?

(Corrections, notes, and links courtesy of RocketAware.com)

[Overview Topics]

Up to: WWW authoring

Rapid-Links: Search | About | Comments | Submit Path: RocketAware > Perl > perlfaq9/How_do_I_make_sure_users_can_t_e.htm