Is there any reason you don't verify that param("max_rec") is one of the numbers that you expect (or at least a number)?

Consider sanity checking all of the form parameters before you do anything else. Depending on the structure of your app, you might want to re-issue the form if any of the parameters are bad, or you might want to just issue an error page. (In the case of a pop-up menu, if you get bad data you either have a programming error, or someone is trying to hack you. An error page is a reasonable response to either case.)

I can't comment on the SQL, but the basic princiles of web input is DON'T TRUST USER INPUT. What you need to do is filter the input so that you let through only values you want to let through, rather than filtering out values you don't want.

See also:

• Security?
• Ovid's CGI Course: CGI Security
• davorg's CGI Notes: CGI Security - *new link
• Perl Training Australia: Perl CGI (PDF) Chapter six

*Added extra link.

As far as returning a maximum number of results goes, I'd probably verify that you're getting a number, and only a number, back from the webpage. You can do this quite easily with a regexp, and it'd probably just add one line to your source code.

It's always a good idea, when you're accepting data into your script from an unknown source, to verify the data is exactly in the format you expect.

Hope that helps a little ...
-- Foxcub
A friend is someone who can see straight through you, yet still enjoy the view. (Anon)

Abigail

If you are concerned about the value given to $max_recs1 = param("max_rec"); (which you definitively should be), then you should verify it's contents before using it in your SQL query.

I'd check that the value is an integer value, positive and smaller or equal to some max value you will have to decide. (In your case typically 120. ;-)

Data Types for Placeholders

   The "\%attr" parameter can be used to hint at the data type the
   placeholder should have. Typically, the driver is only interested
   in knowing if the placeholder should be bound as a number or a
   string.

        $sth->bind_param(1, $value, { TYPE => SQL_INTEGER });
[download]

(this answer was lead by a suggestion by PodMaster in CB).

It is strangs that nobody mentioned Taint directly in their post. Use the -T flag in your CGI, or the Taint module from CPAN.
This way, you are sure that all the parameters need to pass an untaint method (like a regex).

I hope this helps,
---------------------------
Dr. Mark Ceulemans
Senior Consultant
BMC, Belgium

SELECT * FROM products WHERE prod_name = ? OR prod_desc = ?
[download]

Also, PostgreSQL doesn't support placeholders for the number after the LIMIT.

Yes it does.

#!/usr/bin/perl -w
use strict;
use DBI;
my $dbh = DBI->connect("dbi:Pg:dbname=pfau")
    or die "Unable to connect to db: $DBI::errstr";
$dbh->{RaiseError} = 1;
my $s = $dbh->prepare("select relname from pg_class limit ? offset ?")
+;
my $r = $s->execute(3,10);
while (my @row = $s->fetchrow_array) {
    print "Table: $row[0]\n";
}
$s->finish;
$dbh->disconnect;
[download]

Produces:

Table: pg_attrdef
Table: pg_toast_17086_idx
Table: pg_trigger
[download]

90% of every Perl application is already written. ⇒

dragonchild

if ($max_recs1 !~ /^(10|20|40|80|120|160)$/) {
    $html_content .= qq~You have entered an ILLEGAL Number of Results 
+to post!!~ . br() x 2;
    search_box();
    return;
}
[download]