how to only allow calls to perl or cgi script from certain page 
Author Message
 how to only allow calls to perl or cgi script from certain page

Hi,
I need to be able to restrict users from calling my search script from their
site or another site, or typeing whatever they want in the URL.  FOr
example, my buttons call the search script with only specific values, but
How can I restirct them from entering whatever they want in the URL, so they
dont list the entire database by typing 'the' or 'and'.

I know I can create a list of words to prevent the searching but I would
rather restrict the search to only being called from a certain page, and not
allow them to enter any other search strings in the URL.

Can anybody help me?

Thanks in advance



Sat, 26 Jun 2004 21:07:03 GMT  
 how to only allow calls to perl or cgi script from certain page
On Jan 8, Mike inscribed on the eternal scroll:

Quote:
> I need to be able to restrict users from calling my search script from their
> site or another site, or typeing whatever they want in the URL.

Wrong thinking.  There is absolutely no way you can reliably stop them
from making mischievous requests in the first place.  There is no
shortcut: you need to fully validate their request when it reaches the
server.

Quote:
> I know I can create a list of words to prevent the searching but I would
> rather restrict the search to only being called from a certain page, and not
> allow them to enter any other search strings in the URL.

> Can anybody help me?

Not until you recognise that you're wasting your time with that
approach.

Be sure to carefully read and understand Stein's WWW CGI Security FAQ.
Writing CGI scripts is a serious enterprise - many security exposures
(some of which have been far from trivial) have been created by script
authors who failed to take the task seriously.

And next time you have a specifically CGI question, I reckon the
regulars here would prefer you raise it on a place where CGI questions
are on-topic (check the automoderation rules of
comp.infosystems.www.authoring.cgi before posting).

good luck



Sat, 26 Jun 2004 21:40:55 GMT  
 how to only allow calls to perl or cgi script from certain page


Quote:
> Hi,
> I need to be able to restrict users from calling my search script from
their
> site or another site, or typeing whatever they want in the URL.  FOr
> example, my buttons call the search script with only specific values, but
> How can I restirct them from entering whatever they want in the URL, so
they
> dont list the entire database by typing 'the' or 'and'.

> I know I can create a list of words to prevent the searching but I would
> rather restrict the search to only being called from a certain page, and
not
> allow them to enter any other search strings in the URL.

> Can anybody help me?

> Thanks in advance

you could check $ENV{"REMOTE_ADDRESS"} if your IP address is constant
or $ENV{"REQUEST_URI"}

- Show quoted text -



Sat, 26 Jun 2004 22:27:37 GMT  
 how to only allow calls to perl or cgi script from certain page

Quote:

>I need to be able to restrict users from calling my search script from their
>site or another site, or typeing whatever they want in the URL.  FOr
>example, my buttons call the search script with only specific values, but
>How can I restirct them from entering whatever they want in the URL, so they
>dont list the entire database by typing 'the' or 'and'.

>I know I can create a list of words to prevent the searching but I would
>rather restrict the search to only being called from a certain page, and not
>allow them to enter any other search strings in the URL.

>Can anybody help me?

What is your Perl question?   ( I do not see one )

--
    Tad McClellan                          SGML consulting

    Fort Worth, Texas



Sat, 26 Jun 2004 22:35:43 GMT  
 how to only allow calls to perl or cgi script from certain page

Mike> I need to be able to restrict users from calling my search script from their
Mike> site or another site, or typeing whatever they want in the URL.  FOr
Mike> example, my buttons call the search script with only specific values, but
Mike> How can I restirct them from entering whatever they want in the URL, so they
Mike> dont list the entire database by typing 'the' or 'and'.

This question was already asked (and answered by me) on CIWAC.
Please follow the thread there.

Shame on the Usenaut for multi-posting without disclosure. :(

--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095

Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!



Sun, 27 Jun 2004 00:45:03 GMT  
 
 [ 5 post ] 

 Relevant Pages 

1. Calling a cgi script from HTML page

2. CGI-Calling a Perl script within a Perl script

3. Calling CGI script from other CGI script

4. How to call a perl script or web page from within perl

5. Call perl script in html page

6. Page not found problem calling PERL script

7. Calling a perl script when a HTML page loads

8. perl script for calling a java program,running the script through cgi of the web server

9. Call perl script in html page

10. perl/msql script doesn;t work when called from web page

11. How can I call a perl script from html-page

12. Calling a .html page from perl script

 

 
Powered by phpBB® Forum Software