On Tue, 17 Jul 2001 [EMAIL PROTECTED] wrote:
> Has anyone out there created a form using the CGI.pm module then taken
> the values submitted by the form and then used those values as command line
> arguments to run another script?
Before you do anything with those form values, make sure they are correct.
And then make sure again.
The first rule of form validation is 'Do not trust the data from the
user'.
The second rule of form validation is 'Do not trust the data from the
user'.
Unless you absolutely have to, running command-line scripts from a CGI
script with data retrieved from a form should not be done. If you do need
to do it, make darn sure the data is correct, because if you are expecting
a command-line argument of 'x', someone can easily have 'x; rm -fr *' in
that form variable, and if that is passed to system, you've got trouble.
-- Brett
http://www.chapelperilous.net/btfwk/
------------------------------------------------------------------------
Patience is a minor form of despair, disguised as virtue.
-- Ambrose Bierce, on qualifiers
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
