Stegalex has asked for the wisdom of the Perl Monks concerning the following question:

I am running Apache 1.3.17 with mod_perl 1.2.5. Do I still have to check all parameters passed in to CGI programs for unsafe characters? Even if I am using CGI.pm? Thanks for your answers!

Replies are listed 'Best First'.
Re: Safe variables in CGI
by Biker (Priest) on Feb 01, 2002 at 22:15 UTC

    You definitively want to check all input data. And take some time to figure out how to check it as well.

    Don't try to refuse or ignore stuff that you won't accept. Doing that, you will continue to add more and more checks every time someone enters something you didn't think of.

    Take the other approach: Define what you will accept and accept nothing but what you consider valid data.

    We've even had some exitement here at the Monastery today concerning input data, when someone registered the new user name <!-- and many pages showed up as broken. As a result, the input data validation had to be improved.

    "Livet är hårt" sa bonden.
    "Grymt" sa grisen...

[reply]
Re: Safe variables in CGI
by BazB (Priest) on Feb 01, 2002 at 21:51 UTC

    Yes, you still need to check your input.
    CGI does not filter your input - if someone puts something nasty in a parameter that you ask CGI to fetch for you, watch out if you aren't using taint mode and some good regexes for untainting those variables.

    Update: Your question seems to suggest that you haven't used CGI in the past for CGI scripts.
    Bad. Bad. Bad :-)
    Have a look at use CGI or die;.

[reply]
Re: Safe variables in CGI
by Ryszard (Priest) on Feb 02, 2002 at 02:02 UTC
    Could I add that you should check all input into your script, including user input and input that has come from a database, os file etc. Just because you have a trusted or secure database doesnt mean a rougue employee cant insert naughty stuff into it, (nor a hacker hack it for that matter).

    In actual fact -T enforces what i just said anyways.. :-)

[reply]
Re: Safe variables in CGI
by sparkyichi (Deacon) on Feb 01, 2002 at 21:50 UTC
    I think it is always a good idea to check for unsafe charaters. You want as much control over your veriables that you can. I think taint checking will help i.e.
    #!/usr/bin/perl -wT
    Thanks for the catch A.M.
    Sparky
    FMTEYEWTK
[reply]
      Capital 'T':

      #!/usr/bin/perl -wT
[reply]
[d/l]

Back to Seekers of Perl Wisdom