Lots of good advice already, folow it! But I don't yet see the most important security measure for CGI scripts of them all: the -T option. See perldoc perlsec. But don't assume it's a magic bullet. It e.g. won't protect you from SQL injection problems.

Another major aspect is never visible in the script source code, and that is to set up your server so the CGI never runs as the web server user. For every task set up a different fake user and use something like suexec to run your CGI as that user. That way if you do have a hole, your server isn't directly compromised (though even getting local user access is already a huge step for a hacker). Here it will also allow you to set the permissions of your SQL server so that this user (and therefore CGI script) may only do the things he needs to do here. That DOES help somewhat against SQL injection (though the real solution to that is still using placeholders) and even against someone taking over your script and now trying to access the SQL server.

In reply to Re: Hacker Proofing My First Script by thospel
in thread Hacker Proofing My First Script by awohld

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.