In case you're wondering why I don't just use DBI to get the data directly from the database in showmedata.cgi the reason is this :
I want to have my database information in one script that is on a server I control, instead of having it on possibly hundreds of scripts all over the internet. Besides the info not being under my control, what happens if I have to change Something on the database? Email 500 people and have them change the script out? Support nightmare!!!And all of a sudden half of them are broken and I have to Fix it, when all I would have had to do id change a few lines in one script that I have access to. Hope that helps clear up why I the world I'd want to do something this way. > Hello, > > My question is : > > Is there a better,easier, more secure, > prettier way to do what I'm outlining below? > > There are some screamingly obvious security issues but > at this point I'm more interested in getting it to do > what I need then I'll focus on redesigning for security. > > > I have a script ( http://server1.com/database.cgi ) that does > select statements on a database. > > I have another script that needs to ask that script for > values of different things in the database. > > An example 'conversation' would need to go like this : > > http://server1.com/showmedata.cgi says : > > hello http://server1.com/database.cgi I need the value of > 'first_name' > > > http://server1.com/database.cgi says : > > Why let me look, ah yes here it is It's 'Joe' > > http://server1.com/showmedata.cgi says : > > Thanks. $first_name is now 'Joe' > > I've 'accomplished' this through LWP module by doing a simple > get and having the database script just output the value : > > Something Like thus : > > use LWP::UserAgent; > $ua=LWP::UserAgent->new; > $req=new > HTTP::Request(GET=>"http://server1.com/database.cgi?grab=first_name";); > $res=$ua->request($req); > Print "your first name is :"; > print $res->content; > > Where database.cgi just does the lookup and outputs : > Content-type:text/plain Joe > > So that $res->content is just 'Joe' > > Works ok but before I get into formatting the output form > database.cgi and parsing it in the showmedata.cgi So that I > can get multiple values ( > http://server1.com/database.cgi?grab=first_name,last_name,favo > rite_beer ) > > Without having to have database.cgi do ( and basically > creating my own personall protocal ): Content-type:text/plain > first_name:Joe last_name:Mama favorite_beer:Killian's Red > > And then doing a split to get an array of each line and then > splitting each line to assign the value to the appropriate var. > > Since beside being unsure that each line will be formatted the way I > need and the obviouse glaring security issues, I have to do a request > for each piece of data I need. > > Again, I'm not as concerned with security right now. Because : > 1) > I actually have them send an account id and then only the > variables listed for that id are available. > 2) > The current data would be completely useless to someone if > the went to that url. > 3) > The script only does 'select' statements so no one can enter > bad commands in the inout to do nasty drop datatbases, etc.. > 4) > The input never gets put into a query, the query is made > based on what the input looks like . > IE > if($grab =~ m/^first_name$/) { $query = > "SELECT first_name FROM table_name WHERE ID=$id"; } > # $id is set from another query earlier on > 5) > The data is all mine, I'm the only one using this right now > while I'm developing it, and if someone wants to get some > fake data on their browser than by all means go for it! > 6) > After I get my plan of attack down better, then I'll be > better able to figure out what security methods work the best. > > Thanks for your insight! > > Dan > > > -- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
