P
PerlFAQ Server
This is an excerpt from the latest version perlfaq9.pod, which
comes with the standard Perl distribution. These postings aim to
reduce the number of repeated questions as well as allow the community
to review and update the answers. The latest version of the complete
perlfaq is at http://faq.perl.org .
--------------------------------------------------------------------
9.14: How do I make sure users can't enter values into a form that cause my CGI script to do bad things?
(contributed by brian d foy)
You can't really prevent people from sending your script bad data, at
least not with Perl, which works on the server side. If you want to
prevent data that try to use SQL injection or other sorts of attacks
(and you should want to), you have to not trust any data that enter your
program.
The perlsec documentation has general advice about data security. If you
are using the "DBI" module, use placeholder to fill in data. If you are
running external programs with "system" or "exec", use the list forms.
There are many other precautions that you should take, too many to list
here, and most of them fall under the category of not using any data
that you don't intend to use. Trust no one.
--------------------------------------------------------------------
The perlfaq-workers, a group of volunteers, maintain the perlfaq. They
are not necessarily experts in every domain where Perl might show up,
so please include as much information as possible and relevant in any
corrections. The perlfaq-workers also don't have access to every
operating system or platform, so please include relevant details for
corrections to examples that do not work on particular platforms.
Working code is greatly appreciated.
If you'd like to help maintain the perlfaq, see the details in
perlfaq.pod.
comes with the standard Perl distribution. These postings aim to
reduce the number of repeated questions as well as allow the community
to review and update the answers. The latest version of the complete
perlfaq is at http://faq.perl.org .
--------------------------------------------------------------------
9.14: How do I make sure users can't enter values into a form that cause my CGI script to do bad things?
(contributed by brian d foy)
You can't really prevent people from sending your script bad data, at
least not with Perl, which works on the server side. If you want to
prevent data that try to use SQL injection or other sorts of attacks
(and you should want to), you have to not trust any data that enter your
program.
The perlsec documentation has general advice about data security. If you
are using the "DBI" module, use placeholder to fill in data. If you are
running external programs with "system" or "exec", use the list forms.
There are many other precautions that you should take, too many to list
here, and most of them fall under the category of not using any data
that you don't intend to use. Trust no one.
--------------------------------------------------------------------
The perlfaq-workers, a group of volunteers, maintain the perlfaq. They
are not necessarily experts in every domain where Perl might show up,
so please include as much information as possible and relevant in any
corrections. The perlfaq-workers also don't have access to every
operating system or platform, so please include relevant details for
corrections to examples that do not work on particular platforms.
Working code is greatly appreciated.
If you'd like to help maintain the perlfaq, see the details in
perlfaq.pod.