in reply to Request for Comments - CGI Course

Overall it is a good tutorial. But I think you might like to add some text covering the list forms of system() and exec(). Along those same lines, you should give some amount of coverage to sysopen() vs open(). Another thing you may want to include is some discussion of cookies and the fact that like the hidden fields, unless you do some form of encrypting or digesting of information, the user is free to edit those at will with the possibility of mucking up your system. cephas

Replies are listed 'Best First'.
sysopen (RE: Request for Comments - CGI Course)
by tye (Sage) on Nov 14, 2000 at 06:15 UTC

    Good comments. On the sysopen() issue, I'd like to note that you can also just use something like: 

        open( FILE, "< $filename\0" )

    [download]
    The leading mode ("<" in this case but can be many other modes like ">>" or "+<"), the separating space (between the mode and the file name), and the trailing null ("\0"), when all present together, prevent interpretation of the file name. So pipes ("|") or greater thans (">") in the $filename string won't cause Perl to spawn a subprocess or write to a file that you wanted to read from. This works even in Perl4.

    Checking the documentation for this I find that modern versions of Perl also support: 

        open( FILE, "<", $filename )

    [download]
    I find no reference to the old method that I described above. I suspect that this is because it has been removed from the documentation not because it has been removed from Perl (because the latter would be sad, replacing a solution that ports to old versions of Perl with one that doesn't). I'll have to do some checking and report back.

    Using these can be more convenient than using sysopen() while still closing the same security holes.

            - tye (but my friends call me "Tye")
[reply]
[d/l]
[select]

In Section Perl Monks Discussion