$outfile equates to (for example) - 2003-12-18-0001133 , for order number 1133, the preceeding stuff is a date stamp (we have the timestamp from the website, but the filename is unique this way)

Where are $basedir, $month, $year and $day from?

$basedir is set once at the top of the Perl script, just after the shebang code I posted. $month, $year and $day are _only_ used in the code/sub I supplied (the 4 lines) They are 'retrieved' from the system/website.

Have you untainted your foreign source (user input, stream input, file input) variables? If you have NO clue what I mean, then i suggest doing a "man perlsec" and reading up on the taint section. They talk about untainting and the likes.

Yes, I have no idea what you mean. There is a lot of foreign source coming from the browser form. I'll have to read up on 'taint'; the shell access on the website takes 3 cups of coffee to 'work', but I also have Active Sate perl , and I've found 'perlsec', so I'll try and digest that over the next few days

Possibly one thing to consider is this perl script (now 1064 lines) was inherited from a Unix box. Maybe Perl worked _slightly_ differently there ??

Thanks,

Peter

So there is your problem Read up on the man page, it's far more comprehensive compared to what I'll cut-paste for you....

From the man page

The only way to bypass the tainting mechanism is by referencing subpatterns from a regular expres- sion match. Perl presumes that if you reference a substring using $1, $2, etc., that you knew what you were doing when you wrote the pattern. That means using a bit of thought--don't just blindly untaint anything, or you defeat the entire mechanism. It's better to verify that the variable has only good characters (for certain values of "good") rather than checking whether it has any bad characters. That's because it's far too easy to miss bad characters that you never thought of.

If $input is 12345, and 12345 comes from $cgi->param(....), then a simple regexp pattern of...

if($input=~/(\d+)/) { $input = $1; }
else{ $input = undef }
[download]

Your regexp should test and assign out the various ()'s. You can do 3 ()'s at a time, or just one... but only assign $1... $9 ONLY if your regexp matches. doing $input=~/(...)/ and then $input = $1 without an if statement might screw things up BIG time. $1 gets assigned on a successful match. It doesn't get undef'd if a match is unsuccessful.

You don't have to copy $1 back to $input either. I only did it to create less variables. You can do $verifiedInput = $1 too. But remember to program around the cases when the regexp matches or doesn't.


Play that funky music white boy..

Hi sporty,

So there is your problem Read up on the man page, it's far more comprehensive compared to what I'll cut-paste for you....

Looks like I'll have to read up on regexp as well as taint. Also, "what to do" when error messages appear. At present, the user sees some strange message, but I don't see a thing. Maybe a quick email to me, or some (quick) data into MySQL. The problem in this case is we lost an order, because the user can only get _that_ far by pressing "Confirm order". We have no details anywhere of who the person was, not even the email address, let alone the order details. :(

Thanks,

Peter

Possibly one thing to consider is this perl script (now 1064 lines) was inherited from a Unix box. Maybe Perl worked _slightly_ differently there ??

I imagine that perl worked significantly different there as there are many perl built-ins that don't exist on Win32 :-) But I don't think that's relevant to your problem. It just looks like you have possibly multiple sources of tainted data that you need to untaint before using. The cannonical way to untaint your data is by using a regular expression. For example, your $seq variable is read from a file and is supposed to be a number but perl has no way of knowing this; it's just text read from a file. So, to untaint it:

($seq) = $seq =~ /(\d+)/;     # Just grab the first run of digits
[download]

duff

I imagine that perl worked significantly different there as there are many perl built-ins that don't exist on Win32 :-) But I don't think that's relevant to your problem.

Yes, you're are correct. The migration was Unix --> Linux ; I only mentioned Win32, because I also have Perl installed at home, it saves a bit on bandwidth and testing time, and for teaching myself some more perl. That said, there are a number of things I can't do on the Win32 box. :(

It just looks like you have possibly multiple sources of tainted data that you need to untaint before using.

I've never heard of the word taint before, although if something is "tainted", in english, it is "dirty", so I assume tainted data is "dirty data" ?

The cannonical way to untaint your data is by using a regular expression. For example, your $seq variable is read from a file and is supposed to be a number but perl has no way of knowing this; it's just text read from a file. So, to untaint it:

($seq) = $seq =~ /(\d+)/;     # Just grab the first run of digits
[download]

Great, thanks for the tip on how to untaint :)

Peter