--- Jay Savage <[EMAIL PROTECTED]> wrote: > It's actually Data::Dumper, and yes, it's a cpan module. It turns > Perl data structures into a format that can be evaled to recreate > the original structure.
Using "eval" is a great reason why this solution is so dangerous. Once anyone with even a passing knowledge of programming views the HTML source, they're going to have a pretty good idea of what's going on. At this point, it becomes trivial to insert something into the Data::Dumper structure which does bad things when being eval'ed. If you go the Data::Dumper route (and I generally don't advise using the client for persistence), then you want to also add a "digest" to digitally sign the data structure. You need a secret key which is unlikely to be guessed and you put the digest signature in a hidden field like so (broken across lines for readability): <input type="hidden" name="digest" value="6a204bd89f3c8348afd5c77c717a097a"/> That digest would be created by something like this (Digest::SHA1 is theoretically more secure): use Data::Dumper; use Digest::MD5 qw(md5_hex); my $digest = digest( Dumper( $data_to_be_persisted ) ); sub digest { my $data = shift; my $secret = get_secret_key(); return md5_hex($secret . $data); } And then you'd read that back in from the form with something like this: use CGI qw(:standard); my $data = param('data'); my $digest = param('digest'); unless ( $digest eq digest($data) ) { # data has been tampered with } Note that a random secret key can be problematic. Using different secret keys for creating the digest and testing the digest guarantees that the digests will not match. Cheers, Ovid -- If this message is a response to a question on a mailing list, please send follow up questions to the list. Web Programming with Perl -- http://users.easystreet.com/ovid/cgi_course/ -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] <http://learn.perl.org/> <http://learn.perl.org/first-response>