I have an HTML page there (a product order page) with a form which calls a perl script once the customer has entered all their details in. The perl script needs to create a file in the /data folder and write out some of the information being entered (credit card #, etc).

<Freddo411>: Shudders at the thought of buying things online ;-!

There are many things to worry about when designing and coding web apps for security. Here are a few:

* write the data where the web server cannot see it. This is often done by: a) using a DB on another physical machine b) using a part of the filesystem that NOT visable to the web server (chroot and not under the web root)

Keep in mind that your cgi process must have permission to write/read the file, that means that every CGI on your machine has permission to write/read the file ... IF you store the information unencrypted.

* Encrypt the info. Use your CGI to encrypt the info. Encryption isn't hard to do, but isn't a panacia either. Encryption is based upon using a key and an algorythm to scramble the data. Usually one uses a well known and tested algorythm (see cpan). But the encrypted data is only as safe as the key. Where do keep the key that the CGI must use? If you keep it on the filesystem in a place that the CGI can read it, then it is "open", potentially, for any CGI (or hacked CGI) on the system to read. Really well funded operations use a Hardware Encryption device that securely stores the key, and provides a software interface for encrypting data.

Based upon what you've said so far, the best you can do is to keep the CGI code (except a stub), the encrypted data, and the key file outside the web root using chroot. Make sure that the user that the web server is running as has permission to read (but not write) the key file and the CGI code files. Make sure that no one else can read/write/execute the files or the directories they are in.

Note that this level of security breaks down if the web server is compromised, or if root user is compromised, or if another CGI on the box is compromised.

Good Luck.

-------------------------------------
Nothing is too wonderful to be true
-- Michael Faraday

In reply to Re: Passing a username/password from HTML to a Perl script by freddo411
in thread Passing a username/password from HTML to a Perl script by mwhiting

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.