On 9/26/01 6:06 PM, "Chaka Clarke" <[EMAIL PROTECTED]> wrote:
> What are the main dangers and what is the safer solution ? The primary is trusting anyone to enter *normal* data. If your script is installed with read/write to the CGI directory then someone could construct a command to write a file to that directory. The main problem would come up if you are unsure what a person can and cannot enter into your CGI and what the consequences are when the script 'eval's the input. Ask the list - there are many better trained, more knowledgeable Perl programmers - if, say [EMAIL PROTECTED] (Randal) says something is safe to do then you can bet he knows what is talking about IF he says it's not. If you're like me you will need to find out the hard way - by trying something and seeing if it gets hacked. Maybe they won't. "A safer solution?" Get to know and love -T (taint) when writing CGIs - it will take some getting used to, but taint checking is your best friend - it won't accept data it thinks is from an unreliable source (a submitted FORM via the WWW is such a source.) Start your search on security from two of my sites, if you'd like, at - http://web.fccj.org/~wcjones/ and http://www1.fccj.org/wcjones/ Never take someone's advice without checking things out for yourself. HTH; -Sx- :] -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
