Beefy Boxes and Bandwidth Generously Provided by pair Networks
Pathologically Eclectic Rubbish Lister

Re: html/file security cgi

by jynx (Priest)
on May 17, 2002 at 01:15 UTC ( #167163=note: print w/replies, xml ) Need Help??

in reply to html/file security cgi [revisited]

hopefully these will help more than hurt...

(a few random, specific things in no particular order)

  • rather than use an outside time program (/bin/date) you can use localtime. This will avoid a shell call which is usually a Good Thing(tm).
  • never, never, never set a file to 777 permissions. There are too many ways that a universally writeable file can be abused, just don't do it. 644 is better.
  • For your print statements, you can bundle like things by comma-seperating them rather than using individual print statements.
  • You should use cgi's methods for getting the arguments passed to the script. Realizing you're already heard use CGI or die many times, i'll give you a reason: You're not restricting content length. A cracker could easily use that to break into the system. Parsing cgi arguments correctly is very difficult, (ab)using CGI is much easier.
  • It would probably be better to store the single-user password in the access.txt file. Storing passwords is in general a bad idea, but there's only so much you can do to circumvent that problem when doing cgi work (storing them in the script is not a good option)
  • If you can find a way (at a later date) to use a random salt, that would be better than hardcoding one. Much more secure. You can find an example of how to create one on crypt's perldoc page.
  • You don't check to see if you actually opened the log file. What if you failed? Currently you continue as if nothing went wrong. Should you die? Warn others? Whether you fail gracefully or gracelessly, you should do something when you fail...
  • A very minor nit, but possibly useful. Rather than saying:

    if (($in{'name'})&& etc...

    it seems better (monks correct me if i'm wrong) to use exists here:

    if (exists($in{'name'}) && etc...

  • to reiterate a few others, strict and warnings are useful. Also, test your script out on command line before putting it in cgi_bin. That will help clear out a lot of other possible pitfalls early as well...
  • Lastly, @_ is your friend. Argument passing is an excellent thing to learn, and using strict will become much easier once you stop using globals.

As for coding, don't try to implement a lot of changes at once (assuming you're still making changes). It's just a bad idea (unless you're a real programmer like mel ;-). Whatever changes you plan to implement, make them 1 at a time. And if you can stomach it, you should probably post the next (major) revision to Seekers of Perl Wisdom if you plan on asking for further advice. You'll probably receive more help there.


Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://167163]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others browsing the Monastery: (3)
As of 2022-05-26 21:48 GMT
Find Nodes?
    Voting Booth?
    Do you prefer to work remotely?

    Results (94 votes). Check out past polls.