Re: Re: Re: Re: Re: Re: Re: Re: Re: (Ovid -- bug in your hand-rolled CGI code) Re: Pushing w/ an associative array?

I don't see how accepting arbitrary keys is automatically a security hole. That rather depends on what is done with the keys. If all you're doing is writing to a file, for example, I don't see that writing out arbitrary keys increases the risk over writing out known keys. (And if your script is written to expect arbitrary keys, then there are no keys that are unexpected. :)

Comment on Re: Re: Re: Re: Re: Re: Re: Re: Re: (Ovid -- bug in your hand-rolled CGI code) Re: Pushing w/ an associative array?

Replies are listed 'Best First'.
(tilly) Re*: Pushing with an associative array by tilly (Archbishop) on Feb 07, 2001 at 21:17 UTC
merlyn was responding to a request for one variable to have the name of another. This is a bad idea for reasons that Dominus explained at length here. Of course accepting and processing arbitrary keys in a safe manner (eg in a hash) is safe. The only possible confusion then will be that (like globals) the same name will get used twice in two places and the two will get confused for each other. Of course then you just have multiple keys which between them are a unique identifier. One for the data elment in the form, one for the form.	[reply]
Re: (tilly) Re*: Pushing with an associative array by chipmunk (Parson) on Feb 07, 2001 at 21:28 UTC
Thanks for the reply! It's nice to get some feedback on this node. Going back to the original node, I see that the poster asked "how do I make an associative array that holds each of the variable names and its corresponding value?" There was never any question of symbolic references, or even of using CGI's import_names method. The original poster was simply using 'variable name' to mean 'parameter name'. So, really, it seems that we agree. Accepting arbitrary parameters in a CGI script is not necessarily a security risk. It becomes a risk only if the parameters are handled in an unsafe way.	[reply]