On Monday 09 August 2004 00:47, you wrote: > Hi list! > > In yesterday's lecture given by Shachar Shemesh about > cross site scripting and sql injection problems in web applications. > The examples where given by Shachar in PHP. > I would like to know what would be the Perl equivalent of these issues > and how can i pervent those problems from occuring? > Where can i find related material on this issue? >
Well, you can find a super-short intro to Perl Server-Side-Scripting programing with the CGI.pm module here: http://perl-begin.berlios.de/Wiki/pmwiki/pmwiki.php/Main/CgiGettingStarted I demonstrate an HTML injection problem there. (albeit does not deal with it a lot). In Perl with the CGI.pm module, you output strings directly to the standard output to feed the client with its resultant HTML. If you output a value directly from the user without escaping it using the CGI::escapeHTML() function (or something similar), you can create a cross-site-scripting problem. On other web-development problems (e.g: Apache::Request, Apache::ASP, HTML::Mason, CGI::Application, Maypole, etc.), there may be other methods of transferring data to the user, but I believe that you'll need to ensure the safety of the parameters you receive from the users in all of them. As for SQL injections here is a small code (para-phrased from the DBI man page and from what Shachar Demonstrated): <<< my $user = $q->param('user'); my $password = $q->param('password'); $dbh = DBI->connect($data_source, $username, $auth, \%attr); $sth = $dbh->prepare("SELECT * FROM users WHERE user='$user' ". "AND password='$password'); my @row = $sth->fetchrow_array(); >>> Now here $user is injected directly into the SQL without quoting. To quote it you can use the $dbh->quote() function. Hope it helps. Regards, Shlomi Fish > Being a newbie in webapp development the lecture gave me > better understanding of an issue i just heard about before. > (Thanx again Shachar!<applause type="loud"/> ) > > regards, > Boris Ratner. > > ================================================================= > To unsubscribe, send mail to [EMAIL PROTECTED] with > the word "unsubscribe" in the message body, e.g., run the command > echo unsubscribe | mail [EMAIL PROTECTED] -- --------------------------------------------------------------------- Shlomi Fish [EMAIL PROTECTED] Homepage: http://shlomif.il.eu.org/ Knuth is not God! It took him two days to build the Roman Empire. ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
