It should know the *general format* of the valid input it is
expecting. If it knew the actual valid input, there would be no
reason for a form in the first place.
Sure. Can we skip the more extreme bits of pedantry please, and
concentrate on the issues?
There is no reason that the general format of a valid input cannot
include a hidden element with a list of thingies. (Or a list of
hidden elements with one thingy each, depending on whether you are
looking at it after CGI.pm or before)
Indeed; my concern was more with what the O.P seemed to be
aiming to do when the parameter names came back.
They way you cope with things for security reasons and the way you
cope with things for correctness reasons are very different.
Even if there were no malicious users, there can always be mistakes,
so I continue to counsel a *defensive* attitude to server-side
programming. A program which is absolutely correct but totally
insecure may be perfect in the lab, but useless in the real world.
No persuasion is needed. CGI.pm will automatically parse any damned
form-control name that it might get. What you do with them, of
course, is up to you.
I take your point. However, but "business end" of the script ought to
*know* what it's doing, in terms of parameters, and only be waiting
for the actual values from the submission; I'm concerned that what
appears to be discussed here it the idea that the server-side script
might have little idea what parameter names to expect until the form
submission tells it.
Now, I'm not arguing that it's impossible to cope with that, just as I
wouldn't argue that it's impossible in Perl to use variable variable
names. But both are things that I reckon can be handled more safely
by a different technique, and, if someone asks or discusses the issue,
I'm going to feel it useful to advise the use of a safer method.
A denial of service attack just gives me the opportunity to fire,
and possibly prosecute, any malicious employee before they have the
chance to do something truly damaging. 20 minutes of downtime is a
small price to pay for getting rid of malicious personnel.
By default I tend to treat intranets as just a special case of
the wider (e.g world wide web) situation.
If you want to deploy a deliberately insecure procedure in order to
entrap a malicious employee, then IMHO you're discussing a very
special case, that - paradoxically - needs *even better*
"security-think" on the server side than the normal case. But let's
not head down that particular track until we have to...?
Aside from which, I don't see how this method opens up any risk that
isn't already there. And what is "the usual procedure"?
I meant having the evaluation phase of the script *know* what names it
expects to find in name=value pairs in the submission, and process
just those. One convenient approach is to have CGI.pm write the
original form from the same script, so that the code is all kept in
the same place. It also facilitates error handling: writing a fresh
form, pre-entering the input which was valid so far, and flagging the
fields which need further attention.
If some joker interferes with the client/server dialog, and submits
thousands of parameters whose names were not expected by the script,
then, sure, subject to the size limits set, CGI.pm will prepare them
for consideration by the script, but that should be the end of the
matter.
Is there something in particular there that you would like to draw
our attention to?
Not really: I'd rate it more as an attitude, rather than any one
particular technical point.
BTW, did you know that CGI.pm itself automatically prints out hidden
form elements containing the the names of the form's other elements?
I perceive the trap that you're setting here. But all that CGI.pm
does with them are to preserve them as sticky parameters, which is a
linear process. So if some joker adds a thousand more, then sure,
there will be a thousand more sticky parameters, but they don't *do*
anything, they just get dragged along for a while. The difference is
that CGI.pm doesn't try to wade through them trying to make sense of
what they mean in terms of the user's application, which is what (as I
read it - correct me if I'm wrong) was what seemed to be proposed
here.
I think I'm done with this now, unless someone can show me I've
totally misunderstood something.
thanks