Re: Simple Email Script

You should use Taint mode in your CGI scripts and check all input for dangerous things before using it.
Suggestion: Change your shebang line to enable warnings and Taint mode, like this:
#!/usr/bin/perl -wT
And then check all your input with regexes (un-taint it) to be sure that there's nothing scary in there.

$firstname =~ /^([\w ]+)$/;
$firstname = $1;
if( length($firstname) < 1){
  $firstname = "no valid name provided";
}
# now $firstname contains only
#  numbers, letters, spaces and underscores.
[download]

The particular regex I used may not meet your needs, and sanitizing the other pieces may be more difficult, but this is the general idea I think you'll want.

Oh, to reply more to the question you actually asked - add this: "use CGI::Carp( 'fatalsToBrowser' );" to your script while you're debugging. Then you'll get a better description than "HTTP 500" when things go wrong.

Good luck!

Comment on Re: Simple Email Script Download Code

Replies are listed 'Best First'.
Re: Re: Simple Email Script by theguvnor (Chaplain) on Mar 08, 2002 at 02:59 UTC
And I'll save merlyn some time by pointing out that fatalsToBrowser should be used only while testing, not in production because it gives the bad guys more information than you want to give them. :) ..Guv	[reply]
Using CGI::Carp by gellyfish (Monsignor) on Mar 09, 2002 at 15:50 UTC
In the NMS programs we originally used the CGI::Carp set_message() method to conditionally output the actual error message if a $DEBUGGING variable was set - thus retaining the ability to catch fatal errors (and be able to use 'die' in the programs without getting a 500 status) and control what information that gets emitted to the user. We subsequently discovered that set_message() wasn't available in older versions of CGI::Carp so we have provided our own cut-down version. /J\	[reply]