FAQ 9.13: How do I make sure users can't enter values into a form that cause my CGI script to do bad things? 
Author Message
 FAQ 9.13: How do I make sure users can't enter values into a form that cause my CGI script to do bad things?

(This excerpt from perlfaq9 - Networking
    ($Revision: 1.25 $, $Date: 1999/04/14 03:46:19 $)
part of the standard set of documentation included with every
valid Perl distribution, like the one on your system.
See also http://www.*-*-*.com/
if your negligent system adminstrator has been remiss in his duties.)

  How do I make sure users can't enter values into a form that cause my CGI script to do bad things?

    Read the CGI security FAQ, at http://www-
    genome.wi.mit.edu/WWW/faqs/www-security-faq.html, and the Perl/CGI
    FAQ at http://www.*-*-*.com/

    In brief: use tainting (see the perlsec manpage), which makes sure
    that data from outside your script (eg, CGI parameters) are never
    used in `eval' or `system' calls. In addition to tainting, never
    use the single-argument form of system() or exec(). Instead, supply
    the command and arguments as a list, which prevents shell globbing.

--
 "Unix isn't fun anymore" -- Rob Pike.



Sat, 27 Oct 2001 03:00:00 GMT  
 
 [ 1 post ] 

 Relevant Pages 

1. FAQ: How do I make sure users can't enter values into a form that cause my CGI script to do bad things?

2. FAQ: How do I make sure users can't enter values into a form that cause my CGI script to do bad things?

3. FAQ: How do I make sure users can't enter values into a form that cause my CGI script to do bad things?

4. FAQ: How do I make sure users can't enter values into a form that cause my CGI script to do bad things?

5. Making sure 'perl -v' works

6. Making a user's tty's STDOUT

7. can't find uninitialized value after while block, causing warning

8. Error: 'document.form.name.Value'

9. Making sure input is lowercase

10. Outputting text as entered by user

11. user entered IP or Domain ?

12. Forcing user to enter a number with EXACTLY teo deciamal point

 

 
Powered by phpBB® Forum Software