--- "Gavin Nelmes-Crocker [CobaltWorld]" <[EMAIL PROTECTED]> wrote: > Guys, I've got a newbie question - I have been hacking at a perl script to > change it to do what I want - it nearly does but I can't understand why the > main bit isn't working. Basically the script gets sent a string from an > html form which it then needs to use as part of a system command.
This is very dangerous: http://someserver.com/cgi-bin/script.pl?ls%3Brm%20-fr%20%2F%3B With that url, you'll be executing the following: system("/usr/bin/fms_registration ls;rm -fr /; /usr/bin/fmserverd"); I don't know what your programs do, but I know what 'rm -fr /' does. You should read http://www.perl.com/language/CPAN/doc/FAQs/cgi/perl-cgi-faq.html for detailed information on how dangerous data can enter your script. Also, read 'perldoc perlsec'. There are plenty of ways to get around what you're doing, but please read the docs and learn a bit about Web security. You'll have a much better understanding of these issues and you can create safer programs. Cheers, Curtis "Ovid" Poe ===== "Ovid" on http://www.perlmonks.org/ Someone asked me how to count to 10 in Perl: push@A,$_ for reverse q.e...q.n.;for(@A){$_=unpack(q|c|,$_);@a=split//; shift@a;shift@a if $a[$[]eq$[;$_=join q||,@a};print $_,$/for reverse @A __________________________________________________ Do You Yahoo!? Yahoo! Sports - live college hoops coverage http://sports.yahoo.com/ -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
