![]() |
![]() |
![]() |
![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() |
![]() |
![]() |
To access the contents, click the chapter and section titles.
Perl CGl Programming: No experience required.
Whats in a Form: Security IssuesHTML text input types and TEXTAREA fields allow a visitor to type in just about anything. This makes the HTML text types quite useful in terms of gathering information. However, they are your largest window of vulnerability to attack by malicious or clumsy visitors, too. There isnt much you can do about obscene or libelous entries in a guest book, unless you write your Perl script to filter out the seven dirty words or some such thing. Putting a table of obscenities together might be a fascinating exercise but, in the end, it would be a waste of time. The list is probably somewhat longer since George Carlin first drew it up anyway!
But little troglodytes who spray-paint nasty words in your guest book are merely an annoyance. A bigger worry for you should be the amount of text a visitor can enter in one field. For example, it would be relatively simple for a visitor from the Dark Side to crank up a file transfer and dump a few megabytes of garbage into the First Name: field of your form. If you hadnt planned for that possibility, the garbage would hopelessly clog up the CGI program that youve hooked up to the HTML document. Assuming it made it through the Perl script without crashing itand your Web serverit would needlessly hog disk space in the guest book file. Perhaps the worst part would be when other visitors wanted to look at the guest book and got page after page of strange hieroglyphs instead, maybe even crashing their browsers. A good start at limiting this sort of nonsense can be found in the text declarations in guestbook.html. <TD> <INPUT TYPE="text" NAME="first_name" SIZE="24" MAXLENGTH="30"> </TD> The MAXLENGTH tag tells the browser to accept a maximum number of characters in the field. Note that we have made it slightly larger than the width of the field, itself, in case someone really does have a long first_name. But theres a great deal of difference between 30 and 30 million bytes. Unfortunately, HTMLs TEXTAREA tag, which allows the user to type in more than one line of text, has no provision for limiting the amount that goes into it. Youll fall back on a second line of defense for that: the Perl-CGI script itself.
A Last Word on SecurityIts possible to enter system commands and HTML code into an HTML text field such as the ones you used in the guest book programs. Sometimes this can actually damage your system if your Perl code takes any of the text and executes it as a system command. Its also possible to enter a URL into one of the text fields. For example, a visitor could drop the path to a picture file into the Comments field of the guest book, as illustrated in Figure 7.7.
Figure 7.8 illustrates how easy it is.
The picture in Figure 7.7 certainly is not going to harm anything, but it could have been something not so nice. In any event, it isnt what you intended to have in the guest book, is it? The easiest way to guard against such intrusions is to filter out characters that obviously go into HTML code, shell commands, or URLs. Adding one small code block to addguest.pl will provide the filter: # Go through each element in @InfoArray, split off the # "variable=" part, then translate pluses into spaces and # any escaped hex chars back into their real character values. for ($n = 0; @InfoArray[$n]; $n++) { ($dummy, $temp) = split (/=/, @InfoArray[$n]); $temp =∼ tr/+/ /; $temp =∼ s/%([\dA-Fa-f][\dA-Fa-f])/pack ("C", hex ($1))/eg; * if ($temp =∼ /[;<>&\*`|]/) → { → print "Illegal entry!!\n"; → exit; → } @InfoArray [$n] = $temp; } Calling exit to just drop the program is merely a suggestion; you can proceed in any way you want. The point is this: There is no reason for any of the characters in the test to be in a guest book entry and there is every reason for any of them to be in something you dont want. This is just one more line in your defenses.
Moving On In the next skill, you will delve into the boon and bane of server-side includes, and other methods of creating dynamic Web pages and graphics. Are You Experienced?Now you can
|
![]() |
Products | Contact Us | About Us | Privacy | Ad Info | Home
Use of this site is subject to certain Terms & Conditions, Copyright © 1996-2000 EarthWeb Inc. All rights reserved. Reproduction whole or in part in any form or medium without express written permission of EarthWeb is prohibited. |