Mary Anderson wrote:
Hi,
I am writing my first Perl CGI program. I get logins through one CGI
script. When the user has loggin I use
a(href->myurl$login=mylogin&passwor=mypassword
to get to my input screen. Logins are checked by doing a trial connection
to the database. I plan to run in taint mode. I will be checking each
field for obvious signs of corruption before entering it in the database.
So the user enters data which is checked for corruption before it is put in
the database.
I am running ActivePerl under WindowsXP and using IIS as a webserver.
Are there things I should be doing, besides not running on Windows and IIS,
to make my application more secure? I am careful to timestamp every row in
every table in case some malicious nonsense is done and I have to clean up
the mess.
Thanks
Mary Anderson
To answer your security question;
Firstly, you don't want to use a URL-encoding mechanism to transfer your
passwords from one page to another. You should use cookies and even then
you want to encrypt them with:
$encryptedText = crypt($salt,$clearText);
Where $salt can be any 2byte string.
Secondly, you should look into SSL for each page that uses
authentication and use secure cookies.
Thirdly, you should download a decent webserver from the net, I suggest
Apache. IIS is full of security holes* and vulnerabilities*. If you are
processing credit cards, paypal or anything that someone would not want
written on a postcard and sent across the world, you really should look
into a better webserver.
* Have a look at this: http://www.grc.com/pw/FBIAnnouncement.htm
and this: http://www.grc.com/pw/patchwork.htm
Charlie Somerville
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
<http://learn.perl.org/> <http://learn.perl.org/first-response>
