Sara wrote:
bad guys can always create their own form
I can't say how others do it but almost my every script starts with:
if ($ENV{'HTTP_REFREER'} !~ /yourdomain.com/) {
exit;
}
it helps eliminating of Bad Guys forms & shoving of data
Really?
use HTTP::Request::Common 'POST';
use LWP::User
No I don't know, can you please explain.
How it can be spoofed, I am interested in details.
- Original Message -
From: "Bob Showalter" <[EMAIL PROTECTED]>
To: "'Sara'" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, November 11, 2004 3:17 AM
Subject: RE: untainting data
>
Sara wrote:
> > > > bad guys can always create their own form
>
> I can't say how others do it but almost my every script starts with:
>
> if ($ENV{'HTTP_REFREER'} !~ /yourdomain.com/) {
> exit;
> }
>
> it helps eliminating of Bad Guys forms & shoving of data (no remote
> postings allowed).
You
>>> bad guys can always create their own form
I can't say how others do it but almost my every script starts with:
if ($ENV{'HTTP_REFREER'} !~ /yourdomain.com/) {
exit;
}
it helps eliminating of Bad Guys forms & shoving of data (no remote postings
allowed).
Sara.
- Original Message
Sara wrote:
If the 'name' is coming from a Form, try limiting it within the form
tags, it's always a better idea.
Better!? Nope. It may be a convenient *supplement*, so that people don't
need to unnecessarily type a string that the script immediately rejects,
but please note that people can submit
On Wednesday, November 10, 2004, at 04:02 PM, Sara wrote:
If the 'name' is coming from a Form, try limiting it within the form
tags,
it's always a better idea.
I thought (correct me if I'm wrong here - I'm no expert)
that you want to do this at both ends
because the bad guys can always create
If the 'name' is coming from a Form, try limiting it within the form tags,
it's always a better idea.
OR if you insist to do it within script; use 'substr' function.
my $name = param('name');
my $limited_name = substr($name, 0, 40);
Thanks,
Sara.
- Original Message -
From: "David
David Gilden wrote:
Is the following all I need to untaint data?
#!/usr/bin/perl
use CGI qw/:standard/;
my $name = param('name');
$name =~ s/(\w+)/$1/;
That does not untaint anything.
What you need to do to learn about tainted mode is reading the
applicable docs:
perldoc perlsec
What can I do
Hello,
Is the following all I need to untaint data?
#!/usr/bin/perl
use CGI qw/:standard/;
my $name = param('name');
$name =~ s/(\w+)/$1/;
What can I do limit string length to 40 characters?
Thanks,
Dave
(kora musician / audiophile / webmaster @ www.coraconnection.com / Ft. Worth,
TX
