Yeah I had thought about that but this is an internal app for a web
developer and only she will be using it.
Of course I am listening to all suggestions since I am trying how to figure
out to proceed from here.



                                                                                       
          
                    "Brett W. McCoy"                                                   
          
                    <bmccoy@chapelper        To:     
<[EMAIL PROTECTED]>       
                    ilous.net>               cc:     <[EMAIL PROTECTED]>          
          
                                             Subject:     Re: passing form values to 
another     
                    07/17/2001 01:36         Perl script                               
          
                    PM                                                                 
          
                                                                                       
          
                                                                                       
          



On Tue, 17 Jul 2001 [EMAIL PROTECTED] wrote:

>      Has anyone out there created a form using the CGI.pm module then
taken
> the values submitted by the form and then used those values as command
line
> arguments to run another script?

Before you do anything with those form values, make sure they are correct.
And then make sure again.

The first rule of form validation is 'Do not trust the data from the
user'.

The second rule of form validation is 'Do not trust the data from the
user'.

Unless you absolutely have to, running command-line scripts from a CGI
script with data retrieved from a form should not be done.  If you do need
to do it, make darn sure the data is correct, because if you are expecting
a command-line argument of 'x', someone can easily have 'x; rm -fr *' in
that form variable, and if that is passed to system, you've got trouble.

-- Brett

http://www.chapelperilous.net/btfwk/
------------------------------------------------------------------------
Patience is a minor form of despair, disguised as virtue.
                     -- Ambrose Bierce, on qualifiers


--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]






-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to