Re: Web form security

I think you are being overly concerned. There is a big diference between eval "$name" and $$name = $q->param($name). As for your concers run this and see what happens, it emulates all your CGI input:

@names = qw(a b / \ ! _);

# check we have all the input worries
print @names;
print "\n";

# and so???
foreach $name(@names){
    print $name, ': ', $$name, "<BR>\n";
}
[download]

cheers

tachyon

s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

Comment on Re: Web form security Download Code

Replies are listed 'Best First'.
Re: Re: Web form security by Masem (Monsignor) on Jul 30, 2001 at 18:52 UTC
There's still danger in this, even if it's not through perl internals. Say I have variable $chargecustomerscard which, later in the code, which actually does the monetary processing in my script. Normally, this variable is only set after the status is determined from a database query, cookie checks, etc. Certainly this variable name is sufficiently hidden from the end user since they can't see the script. But if a more malicious user were to discover that this variable exists, and that one is populating the variable space by the methods used here, then that user could easily "overwrite" the correct value of that variable just by generating the right URL request, and cause numerous problems. It's nearly always better to explicitly define what you are looking for than to exclude the cases you don't want to look for when it comes to security in this fashion. ----------------------------------------------------- Dr. Michael K. Neylon - mneylon-pm@masemware.com \|\| "You've left the lens cap of your mind on again, Pinky" - The Brain	[reply]

Replies are listed 'Best First'.

Re: Re: Web form security
by Masem (Monsignor) on Jul 30, 2001 at 18:52 UTC

Say I have variable $chargecustomerscard which, later in the code, which actually does the monetary processing in my script. Normally, this variable is only set after the status is determined from a database query, cookie checks, etc.

Certainly this variable name is sufficiently hidden from the end user since they can't see the script. But if a more malicious user were to discover that this variable exists, and that one is populating the variable space by the methods used here, then that user could easily "overwrite" the correct value of that variable just by generating the right URL request, and cause numerous problems.

It's nearly always better to explicitly define what you are looking for than to exclude the cases you don't want to look for when it comes to security in this fashion.

-----------------------------------------------------
Dr. Michael K. Neylon - mneylon-pm@masemware.com || "You've left the lens cap of your mind on again, Pinky" - The Brain

[reply]