is just one example of "untainting" your paramaters that are submitted by someone (who could be trying to crack your CGI script). I recommend adding the taint switch to your "shebang" line:my $rpt_id = $CGI->param('rpt_id'); # trim any leading or trailing whitespace $rpt_id =~ s/^\s*//; $rpt_id =~ s/\s*$//; # assuming report id is suppose to only contain digits unless ($rpt_id =~ /^\d+$/) { # handle error - id contains more than digits }
Since you have already untainted $rpt_id by making it part of $rpt_tmpl like so:#!/usr/local/bin/perl5_8 -T
you shouldn't have to worry about devious folks getting at other files like you would with the following DANGEROUS code:my $rpt_tmpl = "cnc1_rpt" . $rpt_id . "_summary.tmpl"; # another way to achieve the same result: my $rpt_tmpl = "cnc1_rpt@{[$rpt_id]}_summary.tmpl"; # and yet anther way my $rpt_tmpl = sprintf("cnc1_rpt%d_summary.tmpl", $rpt_id);
Even though you supply the path, the user can still submit something like ../../../etc/passwd ... bad. Your code appears safe enough as it is, but ... it's still a good idea to make sure that what you let the user to submit is restricted.my $file = $CGI->param('file'); open FH, '<', "$PATH/$file";
jeffa
L-LL-L--L-LL-L--L-LL-L-- -R--R-RR-R--R-RR-R--R-RR B--B--B--B--B--B--B--B-- H---H---H---H---H---H--- (the triplet paradiddle with high-hat)
In reply to 3Re: HTML::Template, CGI - concatenating strings & variables
by jeffa
in thread HTML::Template, CGI - concatenating strings & variables
by Lori713
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |