D
Duke of Hazard
I have developed a really basic script to make my web pages editable.
I am tired of having to hop around several applications and menus just
to fix one spelling error on a webpage! Also this empowers my clients
to update their own sites as far as text goes.
Basically it reads in the webpage file you want to edit and displays
its content in a textarea box. If the password matches, the script
overwrites the webpage file with the new text you typed in the
textarea.
It works, but what security checks do I need to perform on it? I
realize I need to sanitize the password field, how about the textarea
field?
Thanks!
Here's a snipet of the code below:
==================================
$file_path=$incoming{'file_path'};
$password=$incoming{'password'};
@textarea=$incoming{'textarea'};
# overwrite file if password matches with contents of @message
if ($password eq "12345"){
open(F, ">$file_path") ;
flock(F, 2); # lock file
print F "@textarea";
close(F);
}
# display web page to allow user to edit web page
print "Content-type: text/html\n\n";
print"<form action=/cgi-bin/edit_webpage.pl method=POST>
<textarea name=message cols=75 rows=25>";
open(F, "$file_path") ;
print <F>;
print"</textarea>";
close(F);
print' <input type="password" name="password"> ';
print' <input type="submit" value="Edit"> ';
I am tired of having to hop around several applications and menus just
to fix one spelling error on a webpage! Also this empowers my clients
to update their own sites as far as text goes.
Basically it reads in the webpage file you want to edit and displays
its content in a textarea box. If the password matches, the script
overwrites the webpage file with the new text you typed in the
textarea.
It works, but what security checks do I need to perform on it? I
realize I need to sanitize the password field, how about the textarea
field?
Thanks!
Here's a snipet of the code below:
==================================
$file_path=$incoming{'file_path'};
$password=$incoming{'password'};
@textarea=$incoming{'textarea'};
# overwrite file if password matches with contents of @message
if ($password eq "12345"){
open(F, ">$file_path") ;
flock(F, 2); # lock file
print F "@textarea";
close(F);
}
# display web page to allow user to edit web page
print "Content-type: text/html\n\n";
print"<form action=/cgi-bin/edit_webpage.pl method=POST>
<textarea name=message cols=75 rows=25>";
open(F, "$file_path") ;
print <F>;
print"</textarea>";
close(F);
print' <input type="password" name="password"> ';
print' <input type="submit" value="Edit"> ';