LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices


Reply
  Search this Thread
Old 04-21-2004, 04:07 AM   #1
cadj
Member
 
Registered: Aug 2003
Location: Melbourne Australia
Distribution: Debian Stretch
Posts: 374

Rep: Reputation: 32
Perl Message board variable


ive created a simple message board (or forum i should say) using perl, the forum works fine posting and replying to messages.

the problem is, for the reply script to know what file to write to, i need to use another field in my form containing the file name.

My question is

How can i pass a variable to a cgi script from an html page without adding another form field?

http://220.244.4.142 is the address of my board, my discription is kinda confusing, so give it a quick try and you will know what i am talking about
 
Old 04-21-2004, 04:22 AM   #2
Gnuru
Member
 
Registered: Jan 2004
Posts: 53

Rep: Reputation: 15
Passing variables to CGI scripts that relate somehow to your file system is dangerous. A cracker could easily fake the variable and pass it to your CGI script thereby corrupting your system.

Make sure you're using 'taint', and pass the value of the variable through a regex to ensure it is valid.

A reasonably safe way to do this would be to pass a file name that is hard for a cracker to guess, like a MD5 hash. However, if you have to do this then your system needs a rethink, IMHO.

Anyway, passing variables it is very easy, but depends on how you're creating your HTML pages. There are lots of ways to do it, but all involve using a hidden field.

Are you using CGI.pm? If so something like this should work:

use CGI qw /:standard/;

my $some_variable = "some info";

print hidden(-name=>'variable', -value=>$some_variable);

Then, after the user has pressed 'submit', you get the variable like this:

my $var = param('variable');
 
Old 04-21-2004, 04:52 AM   #3
cadj
Member
 
Registered: Aug 2003
Location: Melbourne Australia
Distribution: Debian Stretch
Posts: 374

Original Poster
Rep: Reputation: 32
Thanks

Using the hidden form field has solved %50 of my problem.

what do u mean by using taint?

and how can i prevent someone from making fake variables. i know of this bug allready.
 
Old 04-21-2004, 07:23 AM   #4
Gnuru
Member
 
Registered: Jan 2004
Posts: 53

Rep: Reputation: 15
Taint mode is a perl mode that will kill your program if you try to deal with insecure user input. You turn it on by having this in the first line of your program:

#!/usr/bin/perl -T

You can read all about it by going:

perldoc perlsec
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How do you write a message board? barratt Programming 5 05-27-2004 07:22 AM
How to set up a message board on Slackware. Posty Slackware 3 01-31-2004 01:21 PM
Need to get a Free Message Board! richhoward Linux - General 3 06-22-2003 02:10 PM
PHP Message Board Crashed_Again Linux - Software 5 02-25-2003 10:20 AM
how do i create message board in apache? beautifulmind Linux - Software 2 07-15-2002 09:17 AM

LinuxQuestions.org > Forums > Non-*NIX Forums > Programming

All times are GMT -5. The time now is 07:02 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration