Perl Message board variable
 

ive created a simple message board (or forum i should say) using perl, the forum works fine posting and replying to messages.

the problem is, for the reply script to know what file to write to, i need to use another field in my form containing the file name.

My question is

How can i pass a variable to a cgi script from an html page without adding another form field?

http://220.244.4.142 is the address of my board, my discription is kinda confusing, so give it a quick try and you will know what i am talking about

Passing variables to CGI scripts that relate somehow to your file system is dangerous. A cracker could easily fake the variable and pass it to your CGI script thereby corrupting your system.

Make sure you're using 'taint', and pass the value of the variable through a regex to ensure it is valid.

A reasonably safe way to do this would be to pass a file name that is hard for a cracker to guess, like a MD5 hash. However, if you have to do this then your system needs a rethink, IMHO.

Anyway, passing variables it is very easy, but depends on how you're creating your HTML pages. There are lots of ways to do it, but all involve using a hidden field.

Are you using CGI.pm? If so something like this should work:

use CGI qw /:standard/;

my $some_variable = "some info";

print hidden(-name=>'variable', -value=>$some_variable);

Then, after the user has pressed 'submit', you get the variable like this:

my $var = param('variable');

Thanks
 

Using the hidden form field has solved %50 of my problem.

what do u mean by using taint?

and how can i prevent someone from making fake variables. i know of this bug allready.

Taint mode is a perl mode that will kill your program if you try to deal with insecure user input. You turn it on by having this in the first line of your program:

#!/usr/bin/perl -T

You can read all about it by going:

perldoc perlsec