Hello, My question is :
Is there a better,easier, more secure, prettier way to do what I'm outlining below? There are some screamingly obvious security issues but at this point I'm more interested in getting it to do what I need then I'll focus on redesigning for security. I have a script ( http://server1.com/database.cgi ) that does select statements on a database. I have another script that needs to ask that script for values of different things in the database. An example 'conversation' would need to go like this : http://server1.com/showmedata.cgi says : hello http://server1.com/database.cgi I need the value of 'first_name' http://server1.com/database.cgi says : Why let me look, ah yes here it is It's 'Joe' http://server1.com/showmedata.cgi says : Thanks. $first_name is now 'Joe' I've 'accomplished' this through LWP module by doing a simple get and having the database script just output the value : Something Like thus : use LWP::UserAgent; $ua=LWP::UserAgent->new; $req=new HTTP::Request(GET=>"http://server1.com/database.cgi?grab=first_name";); $res=$ua->request($req); Print "your first name is :"; print $res->content; Where database.cgi just does the lookup and outputs : Content-type:text/plain Joe So that $res->content is just 'Joe' Works ok but before I get into formatting the output form database.cgi and parsing it in the showmedata.cgi So that I can get multiple values ( http://server1.com/database.cgi?grab=first_name,last_name,favorite_beer ) Without having to have database.cgi do ( and basically creating my own personall protocal ): Content-type:text/plain first_name:Joe last_name:Mama favorite_beer:Killian's Red And then doing a split to get an array of each line and then splitting each line to assign the value to the appropriate var. Since beside being unsure that each line will be formatted the way I need and the obviouse glaring security issues, I have to do a request for each piece of data I need. Again, I'm not as concerned with security right now. Because : 1) I actually have them send an account id and then only the variables listed for that id are available. 2) The current data would be completely useless to someone if the went to that url. 3) The script only does 'select' statements so no one can enter bad commands in the inout to do nasty drop datatbases, etc.. 4) The input never gets put into a query, the query is made based on what the input looks like . IE if($grab =~ m/^first_name$/) { $query = "SELECT first_name FROM table_name WHERE ID=$id"; } # $id is set from another query earlier on 5) The data is all mine, I'm the only one using this right now while I'm developing it, and if someone wants to get some fake data on their browser than by all means go for it! 6) After I get my plan of attack down better, then I'll be better able to figure out what security methods work the best. Thanks for your insight! Dan -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
