> print CGI::header(); > print "hello\n"; > print "foo\n"; > print "bar\n";
> foreach my $line (<FILE>) { > my $result = &do_something($line); > } > use LWP::Simple; > my $credit_card_server = "secure.mybank.com"; > my $username = "my_secret_username"; > my $password = "my_password"; > for $name (param()) { > $$name = param($name); > } > > my $result = get("https://$credit_card_server/refund.pl?". > "username=$username&password=$password&". > ...some more details about what to refund... > ); > > a sneaky user could easily redefine "$credit_card_server", Point well made. Thought about your examples in relation to my script and went through perlvar but as yet haven't found an exploit. Hoping you'll be willing to try to break it when it is just about ready for prime time. Won't be bitten by $/, etc. The last one can be cured by reversing the order: for $name (param()) { $$name = param($name); } use LWP::Simple; $credit_card_server = "secure.mybank.com"; $username = "my_secret_username"; $password = "my_password"; But again, you raise important red flags. I'll continue watching for 'critical' in my particular script. For others, people who don't like skydiving with an unchecked parachute, to safely save space consider just limiting the vars: my @vars = ('one','two','three'); for $name (@vars) { $$name = param($name); } print "\$one $one<br> \$two $two<br> \$three $three<br> "; Otherwise I would probably place the: $one = param(one); $two = param(two); $three = param(three); etc... quasi ad infinitum ....into a 'sub initialize' at the bottom of the script. Take care, Gary -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]