Re: CGI (in)security

points 1 to 3 are sensible, sane and recommended things to do, well done :D

regarding point 4:
I'd say move them away to a place outside the actual web-directory like /usr/home/lib/perl/site_perl/5.X.Y/ or somesuch. At least protect the directory against direct access in your webserver configuration.

regarding point 6:
To prevent sql-injection and sub-shell-exploits: use prepared-sql-statements with placeholders and untaint cgi-parameters you'll use in system (shell) calls to only allow whats necessary parameter for parameter, not with a generell rule! Using your approach, perfectly normal text I enter might look like I'm trying to be an 31337 h4x0r -- not really a good idea...

Edit: Updated numbering according to OPs editing

regards,
tomte

An intellectual is someone whose mind watches itself.
-- Albert Camus

Comment on Re: CGI (in)security Download Code

Replies are listed 'Best First'.
Re^2: CGI (in)security by kiat (Vicar) on Jun 15, 2004 at 12:34 UTC
Thanks tomte! I'm using a shared server so I don't have the privilege of moving the Perl modules to the location you suggested. As for sql injection prevention, what you said is very true. It's something I'm just learning to do so I'm not quite certain what my options are, hence the reason why I'm taking those 'desperate' measures. But I'll try hard to put your advice to use :)	[reply]