in reply to Re: Sending Data
in thread Sending Data

I would add a third - you are not correctly untainting user input. Specifically: 
open (BOBIN, ">>$datefile") ...

[download]
is not a good idea when 'datefile' is extracted from a form field, since this gives users the ability to write to any file on your file system via the classic backwards directory traversal trick (e.g. what if the input was "..\..\etc\passwd" ?). Whether or not the field is "hidden" is irrelevant.

Equally, echoing user input on your confirmation page verbatim leaves you open to Cross Site Scripting attacks (e.g. what if the input contained <script> ... </script> tags?).

A recent cautionary tale along these lines can be found here.

Replies are listed 'Best First'.
Re^3: Sending Data
by Midnite (Acolyte) on Aug 12, 2004 at 21:15 UTC
    Actually, '$datefile' is a filename I make up from the current date. If today is 08/13/04, I name the file 20040813.txt, it has nothing to do with user input, other than it is the date that is submitted.

    Joseph A. Ruffino
    Automated Systems Assistant
    Gail Borden Public Library District
    270 N. Grove Ave
    Elgin, Il, 60120
    847-742-2411 x5986
[reply]

In Section Seekers of Perl Wisdom