> I can't say how others do it but almost my every script starts with:
>
> if ($ENV{'HTTP_REFREER'} !~ /yourdomain.com/) {
> exit;
> }
>
> it helps eliminating of Bad Guys forms & shoving of data (no remote postings
> allowed).
Sorry to differ, but it does not. The HTTP_REFERRER is set by the client.
A better way is to use a regex match such as below within your CGI.
my $foo = $cgi->param('foo');
inputErrorHandler($foo) unless test($foo);
sub testInput { # boolean
my $string = shift;
return 0 if ($string =~ /[EMAIL PROTECTED]/g); # tests email for invalid
chars
return 1;
}
PS. To test any given filter, try telnet'ting to port 80 on your web-server
and issuing the resource request manually in plain text. Crafting maliscious
input is one excellent way of security testing CGI software.
PPS. See also: `perldoc perlre`, CGI::Validate, RFC 2616, etc...
--
=====================
Shaun Fryer
=====================
http://sourcery.ca/
ph: 416-544-9461
=====================
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
<http://learn.perl.org/> <http://learn.perl.org/first-response>
