in reply to Re: Re: Re: Re: Re: Re: Re: Re: Re: (Ovid -- bug in your hand-rolled CGI code) Re: Pushing w/ an associative array?
in thread Pushing w/ an associative array?

merlyn was responding to a request for one variable to have the name of another. This is a bad idea for reasons that Dominus explained at length here. Of course accepting and processing arbitrary keys in a safe manner (eg in a hash) is safe. The only possible confusion then will be that (like globals) the same name will get used twice in two places and the two will get confused for each other. Of course then you just have multiple keys which between them are a unique identifier. One for the data elment in the form, one for the form.
  • Comment on (tilly) Re*: Pushing with an associative array

Replies are listed 'Best First'.
Re: (tilly) Re*: Pushing with an associative array
by chipmunk (Parson) on Feb 07, 2001 at 21:28 UTC
    Thanks for the reply! It's nice to get some feedback on this node.

    Going back to the original node, I see that the poster asked "how do I make an associative array that holds each of the variable names and its corresponding value?" There was never any question of symbolic references, or even of using CGI's import_names method. The original poster was simply using 'variable name' to mean 'parameter name'.

    So, really, it seems that we agree. Accepting arbitrary parameters in a CGI script is not necessarily a security risk. It becomes a risk only if the parameters are handled in an unsafe way.

[reply]

In Section Seekers of Perl Wisdom