in reply to Re: 3Re: HTML::Template, CGI - concatenating strings & variables
in thread HTML::Template, CGI - concatenating strings & variables

"... the user doesn't actually do anything but click on the radio button to indicate which report they want.

Even though you "narrow the choices" on the interface, the user doesn't have to use the interface. Instead they could submit a GET query directly: 

# contrived example
http://foo.com/cgi-bin/form.cgi?rpt_id=../../../etc/password

[download]
or use a web bot, etc. Even though 99% of the people don't know about this, the 1% that does is 100% of the devious people you need to worry about. ;)

Cheers :)

jeffa

L-LL-L--L-LL-L--L-LL-L--
-R--R-RR-R--R-RR-R--R-RR
B--B--B--B--B--B--B--B--
H---H---H---H---H---H---
(the triplet paradiddle with high-hat)

Replies are listed 'Best First'.
Re: 5Re: HTML::Template, CGI - concatenating strings & variables
by Lori713 (Pilgrim) on Nov 17, 2003 at 20:38 UTC
    I've tried putting "-T" on the shebang line, but then I get error messages saying it can't "find HTML::Template in @INC blah blah blah..."

    Did I misunderstand how to set up taint checking in the .pl scripts?

    Lori

[reply]

In Section Seekers of Perl Wisdom