Beefy Boxes and Bandwidth Generously Provided by pair Networks
Pathologically Eclectic Rubbish Lister
 
PerlMonks  

comment on

( [id://3333]=superdoc: print w/replies, xml ) Need Help??

hopefully these will help more than hurt...

(a few random, specific things in no particular order)

  • rather than use an outside time program (/bin/date) you can use localtime. This will avoid a shell call which is usually a Good Thing(tm).
  • never, never, never set a file to 777 permissions. There are too many ways that a universally writeable file can be abused, just don't do it. 644 is better.
  • For your print statements, you can bundle like things by comma-seperating them rather than using individual print statements.
  • You should use cgi's methods for getting the arguments passed to the script. Realizing you're already heard use CGI or die many times, i'll give you a reason: You're not restricting content length. A cracker could easily use that to break into the system. Parsing cgi arguments correctly is very difficult, (ab)using CGI is much easier.
  • It would probably be better to store the single-user password in the access.txt file. Storing passwords is in general a bad idea, but there's only so much you can do to circumvent that problem when doing cgi work (storing them in the script is not a good option)
  • If you can find a way (at a later date) to use a random salt, that would be better than hardcoding one. Much more secure. You can find an example of how to create one on crypt's perldoc page.
  • You don't check to see if you actually opened the log file. What if you failed? Currently you continue as if nothing went wrong. Should you die? Warn others? Whether you fail gracefully or gracelessly, you should do something when you fail...
  • A very minor nit, but possibly useful. Rather than saying:

    if (($in{'name'})&& etc...

    it seems better (monks correct me if i'm wrong) to use exists here:

    if (exists($in{'name'}) && etc...

  • to reiterate a few others, strict and warnings are useful. Also, test your script out on command line before putting it in cgi_bin. That will help clear out a lot of other possible pitfalls early as well...
  • Lastly, @_ is your friend. Argument passing is an excellent thing to learn, and using strict will become much easier once you stop using globals.

As for coding, don't try to implement a lot of changes at once (assuming you're still making changes). It's just a bad idea (unless you're a real programmer like mel ;-). Whatever changes you plan to implement, make them 1 at a time. And if you can stomach it, you should probably post the next (major) revision to Seekers of Perl Wisdom if you plan on asking for further advice. You'll probably receive more help there.

jynx


In reply to Re: html/file security cgi by jynx
in thread html/file security cgi [revisited] by UberDragon13

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Are you posting in the right place? Check out Where do I post X? to know for sure.
  • Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
    <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
  • Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
  • Want more info? How to link or How to display code and escape characters are good places to start.
Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others drinking their drinks and smoking their pipes about the Monastery: (5)
As of 2024-03-29 13:42 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found