Perl Message board variable
ive created a simple message board (or forum i should say) using perl, the forum works fine posting and replying to messages.
the problem is, for the reply script to know what file to write to, i need to use another field in my form containing the file name. My question is How can i pass a variable to a cgi script from an html page without adding another form field? http://220.244.4.142 is the address of my board, my discription is kinda confusing, so give it a quick try and you will know what i am talking about |
Passing variables to CGI scripts that relate somehow to your file system is dangerous. A cracker could easily fake the variable and pass it to your CGI script thereby corrupting your system.
Make sure you're using 'taint', and pass the value of the variable through a regex to ensure it is valid. A reasonably safe way to do this would be to pass a file name that is hard for a cracker to guess, like a MD5 hash. However, if you have to do this then your system needs a rethink, IMHO. Anyway, passing variables it is very easy, but depends on how you're creating your HTML pages. There are lots of ways to do it, but all involve using a hidden field. Are you using CGI.pm? If so something like this should work: use CGI qw /:standard/; my $some_variable = "some info"; print hidden(-name=>'variable', -value=>$some_variable); Then, after the user has pressed 'submit', you get the variable like this: my $var = param('variable'); |
Thanks
Using the hidden form field has solved %50 of my problem.
what do u mean by using taint? and how can i prevent someone from making fake variables. i know of this bug allready. |
Taint mode is a perl mode that will kill your program if you try to deal with insecure user input. You turn it on by having this in the first line of your program:
#!/usr/bin/perl -T You can read all about it by going: perldoc perlsec |
All times are GMT -5. The time now is 05:56 AM. |