in reply to Any security holes?

All right 
my $whatever = encode_entities($whatever, '<>&"');

[download]
did the trick! Now, if I put html code into the input field it doesnt mess up anything. Thanx for steering me to the answer. (and fast too) Heartily appreciated. Hugs Are there still any blatant security risks? My script now: 
#!C:\Perl64\site\bin\perl.exe
use warnings;
use HTML::Entities;
use CGI;

my $cgi = CGI->new(); # create new CGI object

{
   ($name, $value) = split(/=/, $pair);
   $value =~ tr/+/ /;
   $value =~ s/%(..)/pack("C", hex($1))/eg;
   $FORM{$name} = $value;
}

my $nick = $cgi->param('nick');
my $pic = $cgi->param('pic');
my $say = $cgi->param('say');
my $likes = $cgi->param('likes');
my $fav = $cgi->param('fav');
my $car = $cgi->param('car');
my $age = $cgi->param('age');
my $town = $cgi->param('town');
my $drink = $cgi->param('drink');
my $wpage = $cgi->param('wpage');

my $nick = encode_entities($nick, '<>&"');
my $pic = encode_entities($pic, '<>&"');
my $say = encode_entities($say, '<>&"');
my $likes = encode_entities($likes, '<>&"');
my $fav = encode_entities($fav, '<>&"');
my $age = encode_entities($age, '<>&"');
my $town = encode_entities($town, '<>&"');
my $drink = encode_entities($say, '<>&"');
my $say = encode_entities($drink, '<>&"');
my $wpage = encode_entities($wpage, '<>&"');

open(my $fh, '>>', 'drivers.html');
print "Content-type:text/html\r\n\r\n";
print $fh "<b>$nick</b><br><img src='$pic' width='250' height='auto' b
+order='2'><br><br>Says <b>$say</b><br>Likes <b>$likes</b><br>Favorite
+ vehicle <b>$fav</b><br> Real life car/vehicle <b>$car</b><br>Age <b>
+$age</b><br>Hometown <b>$town</b><br>Favorite drink <b>$drink</b><br>
+<b><a href='$wpage'>$wpage</a></b><HR color=#008000 SIZE=2>\n";
print "<html><head><meta http-equiv = 'refresh' content = '0; url = dr
+ivers.html' /></head>";
close $fh;

[download]

Replies are listed 'Best First'.
Re^2: Any security holes?
by hippo (Archbishop) on Jun 27, 2022 at 08:45 UTC
[reply]
[d/l]
[select]
      Thank you very much guys for the help - I removed the whole split/pair segment and it still works like a charm. I will read and tinker some more about making it safer.
[reply]
Re^2: Any security holes?
by AnomalousMonk (Archbishop) on Jun 27, 2022 at 13:59 UTC 
    my $nick = $cgi->param('nick');
...
my $wpage = $cgi->param('wpage');

my $nick = encode_entities($nick, '<>&"');
...
my $wpage = encode_entities($wpage, '<>&"');

    [download]

    Not to address any security hole but just to simplify and DRY out the code a bit, you might try one of these untested approaches. 

    my ($nick, $pic, $say, $likes, $fav, $car, $age, $town, $drink, $wpage
+)
= map { encode_entities($cgi->param($_), '<>&"') }
qw ( nick   pic   say   likes   fav   car   age   town   drink   wpage
+);

    [download]
    Or else (and better IMHO): 
    use constant CGI_PARAMS => qw(
    nick pic say likes fav car age town drink wpage
    );

my %param =
    map { $_ => encode_entities($_, '<>&"') }
    map { $cgi->param($_) }
    CGI_PARAMS
    ;

...

print $fh <<"EOHTML";
<b>$param{'nick'}</b><br>
<img src='$param{'pic'}' width='250' height='auto' border='2'><br>
<br>
Says <b>$param{'say'}</b><br>
Likes <b>$param{'likes'}</b><br>
Favorite vehicle <b>$param{'fav'}</b><br>
Real life car/vehicle <b>$param{'car'}</b><br>
Age <b>$param{'age'}</b><br>
Hometown <b>$param{'town'}</b><br>
Favorite drink <b>$param{'drink'}</b><br>
<b><a href='$param{'wpage'}'>$param{'wpage'}</a></b>
<HR color=#008000 SIZE=2>
EOHTML

    [download]

    Give a man a fish:  <%-{-{-{-<

[reply]
[d/l]
[select]
      > simplify and DRY out the code a bit,

      simpler and DRYer with loop-aliasing ... ;)

      use strict;
use warnings;
use HTML::Entities;

# init
my ($nick, $pic, $say, $likes, $fav, $car, $age, $town, $drink, $wpage
+)=
  ("<html>") x10;

# escape
for my $alias ($nick, $pic, $say, $likes, $fav, $car, $age, $town, $dr
+ink, $wpage) {
    encode_entities($alias);
}

# out
print "$nick ... $wpage";

      [download]

      &lt;html&gt; ... &lt;html&gt;

      edit

      or just

      encode_entities($_)
   for $nick, $pic, $say, $likes, $fav, $car, $age, $town, $drink, $wp
+age;

      [download]

      Cheers Rolf
      (addicted to the Perl Programming Language :)
      Wikisyntax for the Monastery

[reply]
[d/l]
[select]
        Your last suggestion worked well - now my script is: 
        #!C:\Perl64\site\bin\perl.exe
use strict;
use warnings;
use HTML::Entities;
use CGI;

my $cgi = CGI->new();

my $nick = $cgi->param('nick');
my $pic = $cgi->param('pic');
my $say = $cgi->param('say');
my $likes = $cgi->param('likes');
my $fav = $cgi->param('fav');
my $car = $cgi->param('car');
my $age = $cgi->param('age');
my $town = $cgi->param('town');
my $drink = $cgi->param('drink');
my $wpage = $cgi->param('wpage');

encode_entities($_)
   for $nick, $pic, $say, $likes, $fav, $car, $age, $town, $drink, $wp
+age;

open(my $fh, '>>', 'drivers.html');
print "Content-type:text/html\r\n\r\n";
print $fh "<b>$nick</b><br><img src='$pic' width='250' height='auto' b
+order='2'><br><br>Says <b>$say</b><br>Likes <b>$likes</b><br>Favorite
+ vehicle <b>$fav</b><br> Real life car/vehicle <b>$car</b><br>Age <b>
+$age</b><br>Hometown <b>$town</b><br>Favorite drink <b>$drink</b><br>
+<b><a href='$wpage'>$wpage</a></b><HR color=#008000 SIZE=2>\n";
print "<html><head><meta http-equiv = 'refresh' content = '0; url = dr
+ivers.html' /></head>";
close $fh;

        [download]
        Looking way better now eh? Will read/learn more on links provided. Thanx everyone.
[reply]
[d/l]
Re^2: Any security holes?
by ikegami (Patriarch) on Jun 27, 2022 at 13:20 UTC

    Still possible to inject code because of your incorrect escaping. It's still as vulnerable as ever.

[reply]
      Could I ask for an example of correct escaping?
[reply]

        encode_entities($s) would do

[reply]
[d/l]

In Section Seekers of Perl Wisdom