P
PerlFAQ Server
This is an excerpt from the latest version perlfaq9.pod, which
comes with the standard Perl distribution. These postings aim to
reduce the number of repeated questions as well as allow the community
to review and update the answers. The latest version of the complete
perlfaq is at http://faq.perl.org .
--------------------------------------------------------------------
9.14: How do I make sure users can't enter values into a form that cause my CGI script to do bad things?
(contributed by brian d foy)
You can't prevent people from sending your script bad data. Even if you
add some client-side checks, people may disable them or bypass them
completely. For instance, someone might use a module such as "LWP" to
access your CGI program. If you want to prevent data that try to use SQL
injection or other sorts of attacks (and you should want to), you have
to not trust any data that enter your program.
The perlsec documentation has general advice about data security. If you
are using the "DBI" module, use placeholder to fill in data. If you are
running external programs with "system" or "exec", use the list forms.
There are many other precautions that you should take, too many to list
here, and most of them fall under the category of not using any data
that you don't intend to use. Trust no one.
--------------------------------------------------------------------
The perlfaq-workers, a group of volunteers, maintain the perlfaq. They
are not necessarily experts in every domain where Perl might show up,
so please include as much information as possible and relevant in any
corrections. The perlfaq-workers also don't have access to every
operating system or platform, so please include relevant details for
corrections to examples that do not work on particular platforms.
Working code is greatly appreciated.
If you'd like to help maintain the perlfaq, see the details in
perlfaq.pod.
comes with the standard Perl distribution. These postings aim to
reduce the number of repeated questions as well as allow the community
to review and update the answers. The latest version of the complete
perlfaq is at http://faq.perl.org .
--------------------------------------------------------------------
9.14: How do I make sure users can't enter values into a form that cause my CGI script to do bad things?
(contributed by brian d foy)
You can't prevent people from sending your script bad data. Even if you
add some client-side checks, people may disable them or bypass them
completely. For instance, someone might use a module such as "LWP" to
access your CGI program. If you want to prevent data that try to use SQL
injection or other sorts of attacks (and you should want to), you have
to not trust any data that enter your program.
The perlsec documentation has general advice about data security. If you
are using the "DBI" module, use placeholder to fill in data. If you are
running external programs with "system" or "exec", use the list forms.
There are many other precautions that you should take, too many to list
here, and most of them fall under the category of not using any data
that you don't intend to use. Trust no one.
--------------------------------------------------------------------
The perlfaq-workers, a group of volunteers, maintain the perlfaq. They
are not necessarily experts in every domain where Perl might show up,
so please include as much information as possible and relevant in any
corrections. The perlfaq-workers also don't have access to every
operating system or platform, so please include relevant details for
corrections to examples that do not work on particular platforms.
Working code is greatly appreciated.
If you'd like to help maintain the perlfaq, see the details in
perlfaq.pod.