Running older cgi scripts on nginx
Hello, I've set up a new cloud account to get familiar with nginx and I'd like to know if it's possible to run an older cgi perl script, and if so, how would I go about doing that? I think I read somewhere that it could be done with Plack, but I can't find any instructions on how to do it. Can someone help me with this? Grazie mille! Angela -- To unsubscribe, e-mail: beginners-unsubscr...@perl.org For additional commands, e-mail: beginners-h...@perl.org http://learn.perl.org/
Re: Running older cgi scripts on nginx
On Nov 7, 2013, at 3:22 PM, Angela Barone wrote: Hello, I've set up a new cloud account to get familiar with nginx and I'd like to know if it's possible to run an older cgi perl script, and if so, how would I go about doing that? I think I read somewhere that it could be done with Plack, but I can't find any instructions on how to do it. Can someone help me with this? I suggest you enter the string 'nginx cgi' into a search engine and follow the links. You can also read the nginx documentation on how to execute CGI programs here: http://wiki.nginx.org/Configuration Scroll down to the sections titled CGI, FastCGI examples, and Embedded Perl examples. -- To unsubscribe, e-mail: beginners-unsubscr...@perl.org For additional commands, e-mail: beginners-h...@perl.org http://learn.perl.org/
Re: has anyone used perl CGI scripts with Hiawatha web server?
Hi Rajeev, On Sat, 3 Mar 2012 19:56:52 -0800 (PST) Rajeev Prasad rp.ne...@yahoo.com wrote: Anyone has any experience to share about implementing perl CGI scripts on Hiawatha web server? According to http://en.wikipedia.org/wiki/Hiawatha_%28web_server%29 , the Hiawatha web-server supports CGI and FastCGI well, so I don't expect any special problems with running Perl CGI scripts (which Perl supports using PSGI/Plack ( http://plackperl.org/ ) and older, possibly less recommended, technologies such as CGI.pm) on it (at least not in comparison to using it on other popular web-servers). If you do encounter such problems, then you can file a bug report on Hiawatha's bug-tracker. No first hand experience (it's the first time I've heard of the Hiawatha web server) so all caveats apply. Regards, Shlomi Fish -- - Shlomi Fish http://www.shlomifish.org/ Escape from GNU Autohell - http://www.shlomifish.org/open-source/anti/autohell/ Staring at XSLT code for one minute has a 67% chance of making one permanently blind. Please reply to list if it's a mailing list post - http://shlom.in/reply . -- To unsubscribe, e-mail: beginners-unsubscr...@perl.org For additional commands, e-mail: beginners-h...@perl.org http://learn.perl.org/
has anyone used perl CGI scripts with Hiawatha web server?
Anyone has any experience to share about implementing perl CGI scripts on Hiawatha web server? ty. R
Using a CMS with cgi scripts
Hello I have begun to use a CMS/web development tool named Joomla and I was wondering if you had any information on implementing perl/cgi scripts into this CMS or if there is another CMS that would be better to use if i needed to use cgi and perl. Any help would be appreciated, Justin
Re: Using a CMS with cgi scripts
On Thu, May 29, 2008 at 9:26 AM, JUSTIN R COLON [EMAIL PROTECTED] wrote: Hello I have begun to use a CMS/web development tool named Joomla and I was wondering if you had any information on implementing perl/cgi scripts into this CMS or if there is another CMS that would be better to use if i needed to use cgi and perl. I don't know anything about joomla, CGI scripts are separate programs that execute independently. In that sense, there is nothing that needs to be integrated (other than figuring out how to execute CGI scripts on your webserver). If you have specific questions, you might try writing to the joolma list (if there is one) and give specifics about what you want to do. Sean -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/
CGI Scripts and IE
Hello, I have a script that manages a form submission. In order to reuse the form creation and validation functions, I am calling the same script from the form using the post method. Everything works fine in Mozilla/Firefox but when I try to use IE 6, it doesn't seem to call the script when the submit button is pressed, kind of like it knows it is already loaded and just reloads it from cache. Is this possible? How do I overcome it? Example: File is : http://site.com/cgi-bin/script.cgi .htaccess translates : http://site.com/script/ to the above address Script calls 'http://site.com/script/' (itself) using post method. The script acts differently whether it is called with no parameters or whether it is called after the submit button press and has parameters (action=validate, etc). I hope my question is clear, I can help clarify as needed. Thanks, Shawn Shawn Michael Hinchy [EMAIL PROTECTED] -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
Re: CGI Scripts and IE
On Mon, Sep 25, 2006 at 10:53:15AM -0400, Shawn Hinchy wrote: Everything works fine in Mozilla/Firefox but when I try to use IE 6, it doesn't seem to call the script when the submit button is pressed, kind of like it knows it is already loaded and just reloads it from cache. Is this possible? How do I overcome it? The script acts differently whether it is called with no parameters or whether it is called after the submit button press and has parameters (action=validate, etc). I'd /guess/ that you have something like button type=submit name=foo value=bazBar/button, and you are testing for $q-param('foo') eq 'baz' and falling over IE's problem of sending Bar as the value. ... but you haven't provided anywhere near enough information about the problem to say for sure. Real URL? HTML? Perl? -- David Dorward http://dorward.me.uk -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
advise on writing cgi scripts to create + manage certificate authority.
Hi I have to write a cgi appliction to manage a certificate authority for AES 256 CBC and 128 CBC ... How would I go about this the only application I have used for this was comand lline interactive... Any suggestions .. -- Gregory Machin [EMAIL PROTECTED] www.linuxpro.co.za
RE: advise on writing cgi scripts to create + manage certificate authority.
Hi Gregory If you want to lean how to write cgi scripts using perl ... The following link would be a great start... http://cgi101.com/book/ch1/text.html Thanks Prasanna -Original Message- From: Gregory Machin [mailto:[EMAIL PROTECTED] Sent: Thursday, August 03, 2006 2:09 PM To: beginners@perl.org Subject: advise on writing cgi scripts to create + manage certificate authority. Hi I have to write a cgi appliction to manage a certificate authority for AES 256 CBC and 128 CBC ... How would I go about this the only application I have used for this was comand lline interactive... Any suggestions .. -- Gregory Machin [EMAIL PROTECTED] www.linuxpro.co.za -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
Re: advise on writing cgi scripts to create + manage certificate authority.
Thanks for the lead ... But my question was focused on the creation of a certifictate authority mangment interface using cgi as aposed to comandline ... which is the norm ... I have a basic knowlage of perl cgi.. On 8/3/06, Gregory Machin [EMAIL PROTECTED] wrote: Hi I have to write a cgi appliction to manage a certificate authority for AES 256 CBC and 128 CBC ... How would I go about this the only application I have used for this was comand lline interactive... Any suggestions .. -- Gregory Machin [EMAIL PROTECTED] www.linuxpro.co.za -- Gregory Machin [EMAIL PROTECTED] www.linuxpro.co.za
Re: Multiple .cgi scripts vs. one large script
Adam, How your server is going to load things depends entirely upon the server and its configuration. CGI is slow, ISAPI is faster, mod_perl and FastCGI are faster still. Which one you're using and how you use it will dramatically change things. On the other hand, if you only have a few thousand hits a day, it's probably not worth worrying about. As programmers get more experienced, the learn one of the most important rules of programming: do NOT worry about performance unless you have an extremely good reason to do so. Build your systems to be correct and complete and only after you have a known performance issue should you worry about that. Even then, profile the system to find out what the issue is. For example, if it's your database connection or complicated SQL queries which are causing the problem, fiddling with nested foreach loops probably isn't going to help that much. The don't worry about performance at first concept is one that many programmers balk at, but once you adopt it, it makes life much, much easier. Cheers, Ovid -- If this message is a response to a question on a mailing list, please send follow up questions to the list. Web Programming with Perl -- http://users.easystreet.com/ovid/cgi_course/ - Original Message From: Adam Waite [EMAIL PROTECTED] To: beginners-cgi@perl.org Sent: Thursday, June 15, 2006 4:43:56 AM Subject: Re: Multiple .cgi scripts vs. one large script Moore, George T. wrote: It depends on how you are using your scripts. The most expensive aspect of the files is the IO used to read them from the hard drive they reside on. If you are calling on the scripts multiple times and they have to be read each time, rather than being cached in memory, then you only want to read what is absolutely necessary. If one script always calls another then you are probably better having the subroutines, which would save IO. I'll be more specific about my setup. I have two scripts running a bulletin-board type thing. One of them is responsible for displaying all of the posts at once, or just displaying one at a time. The other script handles replying to posts or submitting new posts. I'd estimate that the script responsible for looking at the posts gets used more often, since more people look than actually say anything. It would be easier to maintain this program if I made these two functions subroutines of one larger script, and then called them using some switch logic. My main question then, is this. If a user visits the script, does the server only load one instance of the program per visit, or does each page change necessitate a new instance to begin? Because if only one process is loaded per visit (for instance, the program is compiled once and then used over and over while the user stays within pages covered by that program), it makes more sense to combine them into one larger program. However, if the whole program must be loaded by the server each time the user visits a new page (the program must be compiled and run for each request) then it makes sense to only load what is necessary by splitting up the script into several smaller ones. As may be obvious by now, I do not know very much about how servers handle requests for cgi programs, so I'm sorry if this question is posed in a nonsensical way. Thanks, Adam -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
Re: Multiple .cgi scripts vs. one large script
On Jun 14, 2006, at 6:40 PM, Hardly Armchair wrote: Hello All, I was wondering if it is more efficient (in terms of speed and processor load) to have two different scripts of approximately the same size called to handle two different functions, or to have one large script handle all cgi functions using subroutines. Or perhaps these situations are equivalent. I asked a similar question a few months back (How big is too big?). After learning a lot from the responses and where they led me I started looking more at CGI:: Application. The general theory I get from this framework (as it applies to your question) is that to help with management of subroutines you should create scripts (modules) that hold subroutines that perform similar tasks. No more than 10 subroutines in a script was the rule of thumb as I recall. Someone here mentioned that a Perl/CGI script that contains 1000 lines is probably about as big as you'd want one to get. The script I'm re-factoring to use CGI:: Application is now over 10,000 lines (with comments). It still performs pretty well, but never sees huge amounts of requests. I completely agree with Ovid's comment, do NOT worry about performance unless you have an extremely good reason to do so. That's one reason my script got so big. Performance still is not an issue for me, but management is becoming one. The One big one versus many small ones question seems best answered by personal preference, up to a point. For me, management was getting to be a pain. Now I'd strongly recommend CGI:: Application to anyone working on a perl/cgi app that will get bigger than that 1000 line max that was previously suggested or needs features easily provided by the framework and its plug-ins. Kindest Regards, -- Bill Stephenson 417-546-8390 -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
Multiple .cgi scripts vs. one large script
Hello All, I was wondering if it is more efficient (in terms of speed and processor load) to have two different scripts of approximately the same size called to handle two different functions, or to have one large script handle all cgi functions using subroutines. Or perhaps these situations are equivalent. I apologize if I have just asked an unanswerable question. Thanks, Adam -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
RE: Multiple .cgi scripts vs. one large script
It depends on how you are using your scripts. The most expensive aspect of the files is the IO used to read them from the hard drive they reside on. If you are calling on the scripts multiple times and they have to be read each time, rather than being cached in memory, then you only want to read what is absolutely necessary. If one script always calls another then you are probably better having the subroutines, which would save IO. -Original Message- From: Hardly Armchair [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 14, 2006 4:40 PM To: beginners-cgi@perl.org Subject: Multiple .cgi scripts vs. one large script Hello All, I was wondering if it is more efficient (in terms of speed and processor load) to have two different scripts of approximately the same size called to handle two different functions, or to have one large script handle all cgi functions using subroutines. Or perhaps these situations are equivalent. I apologize if I have just asked an unanswerable question. Thanks, Adam -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
Re: Multiple .cgi scripts vs. one large script
Moore, George T. wrote: It depends on how you are using your scripts. The most expensive aspect of the files is the IO used to read them from the hard drive they reside on. If you are calling on the scripts multiple times and they have to be read each time, rather than being cached in memory, then you only want to read what is absolutely necessary. If one script always calls another then you are probably better having the subroutines, which would save IO. -Original Message- From: Hardly Armchair [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 14, 2006 4:40 PM To: beginners-cgi@perl.org Subject: Multiple .cgi scripts vs. one large script Hello All, I was wondering if it is more efficient (in terms of speed and processor load) to have two different scripts of approximately the same size called to handle two different functions, or to have one large script handle all cgi functions using subroutines. Or perhaps these situations are equivalent. I apologize if I have just asked an unanswerable question. At least as important is maintainability. If you have several scripts, then you have to maintain several scripts. That may be fine, but it may not. If you do go down the road of using one script, look into CGI::Application or Catalyst on CPAN. Sean -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
Re: Multiple .cgi scripts vs. one large script
On Wed, 2006-14-06 at 16:40 -0700, Hardly Armchair wrote: Hello All, I was wondering if it is more efficient (in terms of speed and processor load) to have two different scripts of approximately the same size called to handle two different functions, or to have one large script handle all cgi functions using subroutines. Or perhaps these situations are equivalent. And what, exactly, do you mean by efficient? Most definitions of efficient mean getting the maximum benefit from available resources. So, does that mean the users have minimal response time? Or does it mean your code maintainers can fix bugs easily? Or does it mean your site has minimal cost on the internet? Normally, compartizing your site would mean you can deal with only one problem at a time, without worrying about its effects on the rest of the site. But you would have to decide exactly what efficient really means. -- __END__ Just my 0.0002 million dollars worth, --- Shawn For the things we have to learn before we can do them, we learn by doing them. Aristotle * Perl tutorials at http://perlmonks.org/?node=Tutorials * A searchable perldoc is at http://perldoc.perl.org/ -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
Re: Multiple .cgi scripts vs. one large script
Moore, George T. wrote: It depends on how you are using your scripts. The most expensive aspect of the files is the IO used to read them from the hard drive they reside on. If you are calling on the scripts multiple times and they have to be read each time, rather than being cached in memory, then you only want to read what is absolutely necessary. If one script always calls another then you are probably better having the subroutines, which would save IO. I'll be more specific about my setup. I have two scripts running a bulletin-board type thing. One of them is responsible for displaying all of the posts at once, or just displaying one at a time. The other script handles replying to posts or submitting new posts. I'd estimate that the script responsible for looking at the posts gets used more often, since more people look than actually say anything. It would be easier to maintain this program if I made these two functions subroutines of one larger script, and then called them using some switch logic. My main question then, is this. If a user visits the script, does the server only load one instance of the program per visit, or does each page change necessitate a new instance to begin? Because if only one process is loaded per visit (for instance, the program is compiled once and then used over and over while the user stays within pages covered by that program), it makes more sense to combine them into one larger program. However, if the whole program must be loaded by the server each time the user visits a new page (the program must be compiled and run for each request) then it makes sense to only load what is necessary by splitting up the script into several smaller ones. As may be obvious by now, I do not know very much about how servers handle requests for cgi programs, so I'm sorry if this question is posed in a nonsensical way. Thanks, Adam -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
Errors on running Perl CGI scripts on Tomcat
I know this has been asked for millions of time, but I searched google for the entire day but did not get an answer, instead I found millions of ppl who have the same problem as I am. The problem is simple: 1. The same code runs well on command line 2. When Running on Tomcat, the html file gives such error: Software error: Can't connect to MySQL database: Can't create TCP/IP socket (10106) 3. OS is Windows XP 4. I am pretty sure that Tomcat, Perl interpreter, MySQL runs well seperately. I don't know what to do and since it is a joint question of 3 softwares, I'm gonna send it to the three maillist and see finally if anybody could give correct answers to it. Thanks Regards, Robert. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
Re: cgi scripts as root or similar - best method
Are you sure that cdrecord needs to run as root? You might check into changin permissions on the device itself. Or if this is a trusted machine/environment (I assume it is, 'cause most people don't write web apps to burn CDs), then you could suid cdrecord itself as root. Be sure you understand the security implications of doing that. Paul 10:08am, Gavin Henry wrote: Dear all, I have a working cgi script, well from the commandline. I haven't enabled -T, but that will be next. I am using $|++ and CGI::Carp to get things to stdout etc. and show me errors. All the script does is creates an ISO file, writes a log and burns the CD with some Javascript quesions to ask if the user wants to continue. I could paste the code, but I don't think it's relevant to my question. What the problem is, is that the ISO and log file are to be saved in non apache2 owned directories and cdrecord needs to be run as root. I have tried changing the group ownership of these dirs and chmod 775 for them, but apache2 still can't write to them. I have looked into suexec, but I am not running VirtualHosts and I have tried just making the scripts setuid, but apache2 won't run them then. I have seen suidperl, but I am not sure what it does. Basically I have tried everything I know at present, read all the perlfaq9 and relevant CGI FAQ etc. Does someone with more experience have any tips, as I am now at a loss. Thanks. -- Just getting into the best language ever... Fancy a [EMAIL PROTECTED] Just ask!!! -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response They're willing to kill people. That makes them dangerous. --News announcer, about South American drug lords -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
Re: cgi scripts as root or similar - best method
On Fri, 25 Feb 2005, Gavin Henry wrote: [...] the problem is [...] cdrecord needs to be run as root. I assume cdrecord is being invoked from a system command, right? Have you considered prefixing that command with `sudo`, and going into the sudoers file to allow the www user that privilige? Of course, it would be a bit more complicated than that, as sudo will prompt for a password that you have to pass back to it somehow, but after hurdle that I suspect that it should work fine... Alternatively, have you considered using Webmin? Webmin is a way to do various system administration tasks through a web browser, and there appears to be a cdrecord based plugin for it: http://kgolding.co.uk/cd2iso.php Webmin site: http://webmin.com/ The Book of Webmin (not pirated -- it's at the author's site): http://www.swelltech.com/support/webminguide/ This may be an easier approach to the problem... -- Chris Devers -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
Re: cgi scripts as root or similar - best method
quote who=Chris Devers On Fri, 25 Feb 2005, Gavin Henry wrote: [...] the problem is [...] cdrecord needs to be run as root. I assume cdrecord is being invoked from a system command, right? I know have it running fine using -T and declaring ENN{PATH} as according to the Security section of the camel. Yeah, I have: !system (blah, blah) or die blah, blah; Have you considered prefixing that command with `sudo`, and going into the sudoers file to allow the www user that privilige? No. Of course, it would be a bit more complicated than that, as sudo will prompt for a password that you have to pass back to it somehow, but after hurdle that I suspect that it should work fine... I could actually do that for each system command, could I use the expect perl module for that? Alternatively, have you considered using Webmin? Webmin is a way to do various system administration tasks through a web browser, and there appears to be a cdrecord based plugin for it: http://kgolding.co.uk/cd2iso.php It needs to be scripted via an independant sgi script though :-( Webmin site: http://webmin.com/ The Book of Webmin (not pirated -- it's at the author's site): http://www.swelltech.com/support/webminguide/ This may be an easier approach to the problem... Thanks. -- Chris Devers -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
Re: cgi scripts as root or similar - best method
Chris Devers wrote: On Fri, 25 Feb 2005, Gavin Henry wrote: [...] the problem is [...] cdrecord needs to be run as root. I assume cdrecord is being invoked from a system command, right? Have you considered prefixing that command with `sudo`, and going into the sudoers file to allow the www user that privilige? Of course, it would be a bit more complicated than that, as sudo will prompt for a password that you have to pass back to it somehow, but after hurdle that I suspect that it should work fine... [snip] You can use the 'NOPASSWD' flag in the sudoers file for a particular command/alias, etc. so that the user does not have to enter a password. man sudoers http://danconia.org -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
Re: cgi scripts as root or similar - best method
-- Just getting into the best language ever... Fancy a [EMAIL PROTECTED] Just ask!!! quote who=Wiggins d'Anconia Chris Devers wrote: On Fri, 25 Feb 2005, Gavin Henry wrote: [...] the problem is [...] cdrecord needs to be run as root. I assume cdrecord is being invoked from a system command, right? Have you considered prefixing that command with `sudo`, and going into the sudoers file to allow the www user that privilige? Of course, it would be a bit more complicated than that, as sudo will prompt for a password that you have to pass back to it somehow, but after hurdle that I suspect that it should work fine... [snip] You can use the 'NOPASSWD' flag in the sudoers file for a particular command/alias, etc. so that the user does not have to enter a password. man sudoers Excellent, I forgot that. But that's not very system independant, but ut's fair enough, as it's on only one box and I AM using syste commands. P.S. I love the beginners lists!!! http://danconia.org -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
RE: cgi scripts as root or similar - best method
Chris Devers [EMAIL PROTECTED] suggested: Have you considered prefixing that command with `sudo`, and going into the sudoers file to allow the www user that privilige? Of course, it would be a bit more complicated than that, as sudo will prompt for a password that you have to pass back to it somehow, but after hurdle that I suspect that it should work fine... From man sudoers: By default, sudo requires that a user authenticate him or herself before running a command. This behavior can be modified via the NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for the commands that follow it in the Cmnd_Spec_List. Conversely, the PASSWD tag can be used to reverse things. For example: rayrushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm would allow the user ray to run /bin/kill, /bin/ls, and /usr/bin/lprm as root on the machine rushmore as root without authenticating himself. HTH, Thomas -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
cgi scripts
Hello, I am trying to send form data via a UNIX CGI Perl script to a MS Access database. The form and the CGI script are both on a secure web server. The unix script must be used to process the credit card information from the form. I intend to use the POST method of sending the form data to the CGI script. If the credit card is rejected for any reason, then the UNIX CGI script will send an error message to the user's browser and stop processing things. If the credit card has been successfully processed, I need to strip out the credit card info (using perl regular expressions or something else) and pass the remainder of the data to a MS ASP script on a Windows server which will insert the data in to the database. My question: How do I get the form data to the MS window ASP script using the POST method? I have tried using the GET method successfully ( print Location: http://ip_address?ENV{'QUERY_STRING;'} ) but I don't want any data in the URL. Lawrence Adamiec Unix Manager Rm. 525B 565 W. Adams St. Chicago-Kent College of Law Illinois Institute of Technology Chicago, Illinois 312-906-5301 -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
Re: cgi scripts
Larry Adamiec wrote: How do I get the form data to the MS window ASP script using the POST method? I have tried using the GET method successfully ( print Location: http://ip_address?ENV{'QUERY_STRING;'} ) but I don't want any data in the URL. Check out the libwww-perl package, e.g. LWP::UserAgent. -- Gunnar Hjalmarsson Email: http://www.gunnar.cc/cgi-bin/contact.pl -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
CGI scripts, security and MySQL
Hi I need to know what is the accepted way of handling the following. I have a MySQL database, and a host of CGI scripts which present forms to the users as web pages, they fill them in and then the data is written to the database. I need to make this secure such that only users I want can use the system. I want to set up a username and password so that users can log in once at the beginning of a session, carry out their work filling in various forms and writing to the database, and then log-out at the end. What is the best way to do this? I've thought about creating a MySQL user/password for each person who needs to enter data, but I don't want them to have to enter their username and password on every form. I guess what I need is some sort of persistant DBI connection that is present over multiple runs of various CGI scripts (until the person logs off or the browser is closed...) I am running Suse Linux 8.2, MySQL 4, Apache 1.3.28 and perl 5.8.0 Cheers Mick -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
Re: CGI scripts, security and MySQL
On Fri, 3 Sep 2004, michael watson (IAH-C) wrote: I need to make this secure such that only users I want can use the system. I want to set up a username and password so that users can log in once at the beginning of a session, carry out their work filling in various forms and writing to the database, and then log-out at the end. What is the best way to do this? I've thought about creating a MySQL user/password for each person who needs to enter data, but I don't want them to have to enter their username and password on every form. I guess what I need is some sort of persistant DBI connection that is present over multiple runs of various CGI scripts (until the person logs off or the browser is closed...) I am running Suse Linux 8.2, MySQL 4, Apache 1.3.28 and perl 5.8.0 Think about what your requirements are here; you seem to have a grab bag of good ideas that are all mixed up together. * System authentication You're asking for a way to avoid making people fill out their username password with each form. A proper authentication system won't allow this situation. The two basic ways you can do authentication are at the server level, with Apache-enforced HTTP authentication (this is the version where the, and at the application level, with code in your CGI scripts that manages user account details. I personally think Apache-level authentication is easier -- if you just add the right directives to your httpd.conf, it's magically turned on for you. For whatever reason though, this isn't often done these days -- it's more popular to reinvent this particular wheel over and over again. If you go for the more popular application level logins, the general approach will mean storing the user's account name in a cookie, and then checking this cookie with each request. As long as the cookie has the right information, they won't have to log in with each page -- it will, in effect, do that automatically in the background. * Database users: I suspect it's not so important to control who's user account is writing to the database, as much as it is to know who wrote what data in the database. Make sense? With that in mind, you could do either or both of [a] add fields to the tables that note who last touched each row, or (probably better) [b] maintain a log of what changes are being made and by who -- this log could even be as simple as a datestamp, the user name, and the SQL statement. This should make maintainence of the database easier, as you don't have to maintain separate MySQL accounts for each user along with the other accounts they are going to need. * DBI connection persistence: It makes sense to maintain a connection to the database, but not so much because of user access control considerations, but just for performance: being able to avoid building up tearing down a DB connection with every page view gets very expensive. The best way to get around this is probably to use mod_perl instead of regular CGI scripts, and then turn on Apache::DBI for database connection pooling. This can help a lot. Does this help ? More questions ? -- Chris Devers [EMAIL PROTECTED] http://devers.homeip.net:8080/blog/ np: 'Mr. Loh's Not Afraid to Be Naked' by Sandra Tsing Loh from 'This American Life: Lies, Sissies, and Fiascoes' -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
Re: CGI scripts, security and MySQL
Hi, You can put something like this, in httpd.conf file: include ...path_to_file And make the directory where sits that file readable only by the root user. Then, in that file, put something like: SetEnv usr user_name SetEnv pass parolissima Those 2 environment variables will be seen by any script that runs on that server. If you want them to be seen only by the scripts which are ran by a certain virtualhost, put that include line between virtualhost... and /virtualhost. T - Original Message - From: Chris Devers [EMAIL PROTECTED] To: michael watson (IAH-C) [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, September 03, 2004 3:08 PM Subject: Re: CGI scripts, security and MySQL On Fri, 3 Sep 2004, michael watson (IAH-C) wrote: I need to make this secure such that only users I want can use the system. I want to set up a username and password so that users can log in once at the beginning of a session, carry out their work filling in various forms and writing to the database, and then log-out at the end. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
Re: CGI scripts, security and MySQL
No, the environment variables are set a single time at the start (or restart) of the web server. The problem is that if there is any change in httpd.conf file, the server must be restarted and this might not be very easy for a system with very many users, but it is not impossible. Teddy - Original Message - From: Chris Devers [EMAIL PROTECTED] To: Octavian Rasnita [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; michael watson (IAH-C) [EMAIL PROTECTED] Sent: Friday, September 03, 2004 3:31 PM Subject: Re: CGI scripts, security and MySQL On Fri, 3 Sep 2004, Octavian Rasnita wrote: You can put something like this, in httpd.conf file: include ...path_to_file And make the directory where sits that file readable only by the root user. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
Re: CGI scripts, security and MySQL
On Fri, 3 Sep 2004, Octavian Rasnita wrote: No, the environment variables are set a single time at the start (or restart) of the web server. Ok, that's what I thought. So in what way does this help manage a pool of several users? This seems to be a solution in search of some other problem... -- Chris Devers [EMAIL PROTECTED] http://devers.homeip.net:8080/blog/ np: 'Drama Bug' by David Sedaris from 'This American Life: Lies, Sissies, and Fiascoes' -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
Re: CGI scripts, security and MySQL
This might be helpful for more users, because a system admin can create automaticly a special dir where the users can put their config files, and insert that file in httpd.conf. After that, every user can create its own config file, with any variables they want (their names should not be only user and pass), and after that chmod that special dir in order to be viewd only by the root. T Teddy - Original Message - From: Chris Devers [EMAIL PROTECTED] To: Octavian Rasnita [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; michael watson (IAH-C) [EMAIL PROTECTED] Sent: Friday, September 03, 2004 3:56 PM Subject: Re: CGI scripts, security and MySQL -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
Re: CGI scripts, security and MySQL
On Fri, 3 Sep 2004, Octavian Rasnita wrote: This might be helpful for more users, because a system admin can create automaticly a special dir where the users can put their config files, and insert that file in httpd.conf. After that, every user can create its own config file, with any variables they want (their names should not be only user and pass), and after that chmod that special dir in order to be viewd only by the root. This is all nice to know, but it doesn't appear to have anything at all to do with the questions that the guy was asking. He wants web site user accounts, with control /or a record of who is doing what in the database. He wants some kind of database connection persistance. He is not trying to set environment variables in Apache. It isn't obvious how setting variables like this gets him anywhere near the stated requirements of the system. -- Chris Devers [EMAIL PROTECTED] http://devers.homeip.net:8080/blog/ np: 'Christmas Freud' by David Rakoff from 'This American Life: Lies, Sissies, and Fiascoes' -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
How to host CGI scripts ?
Hi, I am new to CGI, i just wanted to know if I can host CGi scripts on my machine. OS Details : Win2k Professional with IIS installed, ActivePerl installed. Regards, Sunil. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
RE: How to host CGI scripts ?
Sunil Kumar wrote: Hi, I am new to CGI, i just wanted to know if I can host CGi scripts on my machine. OS Details : Win2k Professional with IIS installed, ActivePerl installed. Yes, you can. You need to configure IIS appropriately, which I can't help you with. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
RE: How to host CGI scripts ?
Hi Sunil, Here are a few links : http://my.execpc.com/~keithp/bdlognt.htm http://www.chami.com/tips/internet/052598I.html -Pradeep -Original Message- From: Bob Showalter [mailto:[EMAIL PROTECTED] Sent: Fri 6/18/2004 8:00 AM To: 'Sunil Kumar'; [EMAIL PROTECTED] Cc: Subject: RE: How to host CGI scripts ? Sunil Kumar wrote: Hi, I am new to CGI, i just wanted to know if I can host CGi scripts on my machine. OS Details : Win2k Professional with IIS installed, ActivePerl installed. Yes, you can. You need to configure IIS appropriately, which I can't help you with. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
Re: How to host CGI scripts ?
And BTW, I am sure most of the listers will be able to help you with some advice about your problem if you will install the Apache web server for Windows from www.apache.org. It is much more used than IIS, much secure, and with many other advantages, and also free. Teddy - Original Message - From: Bob Showalter [EMAIL PROTECTED] To: 'Sunil Kumar' [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, June 18, 2004 6:00 PM -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
Re: CGI Scripts
Wiggins d'Anconia wrote: So since you are not using the OOP interface to CGI, you need to tell Perl to bring the functions into the local namespace so you can use them in the way you are, so something like: use CGI qw/:standard/; # load standard CGI routines Should help matters greatly. There are two other options, switch to the OOP interface and request a new CGI object then call the function (now a method) on the object instance, or practice your typing by including the full name everywhere: my $customer = CGI::param('Customer'); Be sure to undersand what and how :standard works, and what other options are available. Ok, Thanks but I think I'm still a little baffle here about the difference in using OOP interface and not using OOP interface. Could you clarify the difference? -- *** Phillip B. Bruce *** *** *** *** Politicians and diapers have one thing in common. *** *** They should both be changed regularly and for the *** *** same reason. *** *** *** -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: CGI Scripts
Wiggins d'Anconia wrote: In the following line you need a 'my' to give the variable scope $mail = Mail::Internet-new(Header = $head, Body = [$body], Modify = 1); Ok, I did that and now I'm getting this error ./survey.cgi Content-type: text/html Undefined subroutine main::param called at ./survey.cgi line 12. So that is referenceing the following line my code: my $customer = param(Customer); So does Customer in the param setting needs to be $Customer maybe? -- *** Phillip B. Bruce *** *** *** *** Politicians and diapers have one thing in common. *** *** They should both be changed regularly and for the *** *** same reason. *** *** *** -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: CGI Scripts
Phillip Bruce wrote: Wiggins d'Anconia wrote: In the following line you need a 'my' to give the variable scope $mail = Mail::Internet-new(Header = $head, Body = [$body], Modify = 1); Ok, I did that and now I'm getting this error ./survey.cgi Content-type: text/html Undefined subroutine main::param called at ./survey.cgi line 12. So that is referenceing the following line my code: my $customer = param(Customer); So does Customer in the param setting needs to be $Customer maybe? This error is telling you that the compiler can't find the 'param' subroutine in the 'main' package. The key here is that the 'param' subroutine is part of the CGI package which you should (and with experience) know. So the question becomes how do I get 'param' to work in my script when I have already done a use CGI; at the top. Without going into details about 'import', etc. read: perldoc perlsub perldoc perlmod for more. Essentially you should revisit the section on Programming Style in the CGI.pm docs, in particular the statement: The main differences are that we now need to import a set of functions into our name space (usually the standard functions), and we don't need to create the CGI object. So since you are not using the OOP interface to CGI, you need to tell Perl to bring the functions into the local namespace so you can use them in the way you are, so something like: use CGI qw/:standard/; # load standard CGI routines Should help matters greatly. There are two other options, switch to the OOP interface and request a new CGI object then call the function (now a method) on the object instance, or practice your typing by including the full name everywhere: my $customer = CGI::param('Customer'); Be sure to undersand what and how :standard works, and what other options are available. http://danconia.org -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: CGI Scripts
Wiggins d'Anconia wrote: Phillip Bruce wrote: Wiggins d'Anconia wrote: snip Thanks for the suggestions. Now I get totally different error. I ran this on the command line and get following: % ./survey.cgi Content-type: text/html Substitution replacement not terminated at ./survey.cgi line 37. Here is my code changes I've made: #!/usr/local/bin/perl use strict; user warnings; In the above line you have 'user' instead of 'use' use CGI; use Mail::Internet; BEGIN { print Content-type: text/html\n\n; } # So we can debug using the web # Collect parameters using CGI my $customer = param(Customer); my $learn = param(Learn); my $opinion = param(Site Opinion); my $improvements = param(Site Iimprovement); my $comments = param(comments); my $head = Mail::Header-new; # add an error handler here for the above $head-add(From = 'Webmaster [EMAIL PROTECTED]'); $head-add(To = '[EMAIL PROTECTED]'); $head-add(Subject = 'Peggy's Health Center Survey Response'); In the above literal you have an embedded single quote which must be escaped or you need to change the quoting method. To escape a single quote in a single quoted literal throw a backslash before it... 'Peggy\'s Health Center Survey Response', that *should* be the reason it is failing # Build the body of your message my $body = END; The following information has been sent via form: Customer Type: $customer Where They Found US: $learn Site Opinion: $opinion Site Improvements: $improvements Comments: $comments END #Send the message $mail = Mail::Internet-new(Header = $head, Body= [$body], Modify = 1); print $mail-end('sendmail'); === End of Code === Any ideas why I'm getting that error: I'm using 5.8 version of perl and have an older version 5.005_03 that does the same thing. Stick with 5.8 unless you need the older version for some reason... http://danconia.org Well, I'm using perl 5.8 and I'm now getting these error messages. % ./survey.cgi Content-type: text/html Global symbol $mail requires explicit package name at ./survey.cgi line 37. Global symbol $mail requires explicit package name at ./survey.cgi line 41. Global symbol $mail requires explicit package name at ./survey.cgi line 42. Execution of ./survey.cgi aborted due to compilation errors. Below is my code as it stands right now. #!/usr/local/bin/perl use strict; use warnings; use CGI; use Mail::Internet; BEGIN { print Content-type: text/html\n\n; } # So we can debug using the web # Collect parameters using CGI my $customer = param(Customer); my $learn = param(Learn); my $opinion = param(Site Opinion); my $improvements = param(Site Iimprovement); my $comments = param(comments); my $head = Mail::Header-new; # add an error handler here for the above $head-add(From = 'Webmaster [EMAIL PROTECTED]'); $head-add(To = '[EMAIL PROTECTED]'); $head-add(Subject = 'Peggy\'s Health Center Survey Response'); # Build the body of your message my $body = END; The following information has been sent via form: Customer Type: $customer Where They Found US: $learn Site Opinion: $opinion Site Improvements: $improvements Comments: $comments END #Send the message $mail = Mail::Internet-new(Header = $head, Body = [$body], Modify = 1); print $mail-send('sendmail'); $mail-close; print H3Return to Peggy's Health Center Web Site/H3; -- *** Phillip B. Bruce *** *** *** *** Politicians and diapers have one thing in common. *** *** They should both be changed regularly and for the *** *** same reason. *** *** *** -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: CGI Scripts
Phillip Bruce wrote: Wiggins d'Anconia wrote: snip Well, I'm using perl 5.8 and I'm now getting these error messages. The errors you are getting now are because of the stricture. You have to declare the scope of all of your variables (among other things). perldoc strict For more info When debugging the script start with the first error, determine where it is being caused (line 37) and what its likely solution is. In this case the variable $mail has not been properly scoped and its first usage is on line 37. Sometimes you will get this error if you misname a variable, etc. % ./survey.cgi Content-type: text/html Global symbol $mail requires explicit package name at ./survey.cgi line 37. Global symbol $mail requires explicit package name at ./survey.cgi line 41. Global symbol $mail requires explicit package name at ./survey.cgi line 42. Execution of ./survey.cgi aborted due to compilation errors. Below is my code as it stands right now. #!/usr/local/bin/perl use strict; use warnings; use CGI; use Mail::Internet; BEGIN { print Content-type: text/html\n\n; } # So we can debug using the web # Collect parameters using CGI my $customer = param(Customer); my $learn = param(Learn); my $opinion = param(Site Opinion); my $improvements = param(Site Iimprovement); my $comments = param(comments); my $head = Mail::Header-new; # add an error handler here for the above $head-add(From = 'Webmaster [EMAIL PROTECTED]'); $head-add(To = '[EMAIL PROTECTED]'); $head-add(Subject = 'Peggy\'s Health Center Survey Response'); # Build the body of your message my $body = END; The following information has been sent via form: Customer Type: $customer Where They Found US: $learn Site Opinion: $opinion Site Improvements: $improvements Comments: $comments END #Send the message In the following line you need a 'my' to give the variable scope $mail = Mail::Internet-new(Header = $head, Body = [$body], Modify = 1); print $mail-send('sendmail'); $mail-close; print H3Return to Peggy's Health Center Web Site/H3; http://danconia.org -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
CGI Scripts
Hi, I have the following form that I use as survey I that I'm building for my web site. form METHOD=POST ACTION=https://www726.vwh1.net/peggy1/cgi-local/surve y.cgi Are you a new cutomer or a returning customer?BR input TYPE=CHECKBOX NAME=Customer VALUE=New CustomerNew Customer BR input TYPE=CHECKBOX NAME=Customer VALUE=Returning CustomerReturn ing CustomerBR HR How did you learn about Peggy's Health Center?BR input TYPE=CHECKBOX NAME=Learn VALUE=Web SiteWeb SiteBR input TYPE=CHECKBOX NAME=Learn VALUE=EmailEmailBR input TYPE=CHECKBOX NAME=Learn VALUE=Search EngineeSearch Engine BR input TYPE=CHECKBOX NAME=Learn VALUE=PostalPostal MailBR input TYPE=CHECKBOX NAME=Learn VALUE=By MouthWord of MouthBR HR What do you think about our web site?BR input TYPE=CHECKBOX NAME=Site Opinion VALUE=Very GoodVery GoodB R input TYPE=CHECKBOX NAME=Site Opinion VALUE=GoodGoodBR input TYPE=CHECKBOX NAME=Site Opinion VALUE=GoodBadBR input TYPE=CHECKBOX NAME=Site Opinion VALUE=GoodVery BadBR HR What is it about our site you think needs improvement?BR input TYPE=CHECKBOX NAME=Site Improvement VALUE=NavigationNaviga ting the Web SiteBR input TYPE=CHECKBOX NAME=Site Improvement VALUE=OrderingOrder Pr oductsBR input TYPE=CHECKBOX NAME=Site Improvement VALUE=New ProductsAddi ng New ProductsBR input TYPE=CHECKBOX NAME=Site Improvement VALUE=Searching Products Searching for ProductsBR HR Please provide any other comments: TEXTAREA NAME=comments ROWS=6 COLS=45Place your Comments here /TEXTAREABR input TYPE=HIDDEN NAME=return VALUE=http://www.peggyshealth.com/; input TYPE=SUBMIT NAME=SUBMIT /form Now here is the CGI script I've written so far. #!/usr/bin/perl # use Mail::Internet; # Collect parameters using CGI my $customer = param(Customer); my $learn = param(Learn); my $opinion = param(Site Opinion); my $improvements = param(Site Iimprovement); my $comments = param(comments); my $head = Mail::Header-new; $head-add(From = 'Webmaster [EMAIL PROTECTED]'); $head-add(To = '[EMAIL PROTECTED]'); $head-add(Subject = 'hello there'); my $body = END; This is just a simple e-mail message. Nothing to get excited about. Customer Type: $customer How they learn of us: $learn Their Opinions: $opinion Their improvemetns: $improvements Their comments: $comments END $mail = Mail::Internet-new(Header = $head, Body = [$body], Modify = 1); print $mail-send('sendmail'); end of cgi script. What I'm concern with is the execution of this script. I don't seem to be doing something right. Can someone correct on what it that missing. -- *** Phillip B. Bruce *** *** *** *** Politicians and diapers have one thing in common. *** *** They should both be changed regularly and for the *** *** same reason. *** *** *** -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: CGI Scripts
Phillip Bruce wrote: Hi, I have the following form that I use as survey I that I'm building for my web site. snip form Now here is the CGI script I've written so far. #!/usr/bin/perl # use Mail::Internet; use strict; # always use warnings; # usually, at least during development # Collect parameters using CGI my $customer = param(Customer); my $learn = param(Learn); my $opinion = param(Site Opinion); my $improvements = param(Site Iimprovement); my $comments = param(comments); In the above section you are using a function of the CGI module 'param' but you have not loaded the CGI module, you need another use statement: use CGI; You may also want to get all the params at once into a hash, but I leave that to you, have a look at the docs for the CGI module: perldoc CGI my $head = Mail::Header-new; What does this do on failure? you haven't checked return codes... $head-add(From = 'Webmaster [EMAIL PROTECTED]'); $head-add(To = '[EMAIL PROTECTED]'); $head-add(Subject = 'hello there'); my $body = END; This is just a simple e-mail message. Nothing to get excited about. Customer Type: $customer How they learn of us: $learn Their Opinions: $opinion Their improvemetns: $improvements Their comments: $comments END $mail = Mail::Internet-new(Header = $head, Body = [$body], Modify = 1); print $mail-send('sendmail'); You have not printed a header back to the browser, usually something like: Content-type:text/html\n\n, though again see the docs for the CGI module for easy ways to do this. end of cgi script. What I'm concern with is the execution of this script. I don't seem to be doing something right. Can someone correct on what it that missing. Usually the best way to find out problems with a CGI script is to check the server's error log, or use a 'fatalstobrowser' type of deal, see the CGI docs for this also... http://danconia.org -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: CGI Scripts
Wiggins d'Anconia wrote: Phillip Bruce wrote: Hi, I have the following form that I use as survey I that I'm building for my web site. snip form Now here is the CGI script I've written so far. #!/usr/bin/perl # use Mail::Internet; use strict; # always use warnings; # usually, at least during development # Collect parameters using CGI my $customer = param(Customer); my $learn = param(Learn); my $opinion = param(Site Opinion); my $improvements = param(Site Iimprovement); my $comments = param(comments); In the above section you are using a function of the CGI module 'param' but you have not loaded the CGI module, you need another use statement: use CGI; You may also want to get all the params at once into a hash, but I leave that to you, have a look at the docs for the CGI module: perldoc CGI my $head = Mail::Header-new; What does this do on failure? you haven't checked return codes... $head-add(From = 'Webmaster [EMAIL PROTECTED]'); $head-add(To = '[EMAIL PROTECTED]'); $head-add(Subject = 'hello there'); my $body = END; This is just a simple e-mail message. Nothing to get excited about. Customer Type: $customer How they learn of us: $learn Their Opinions: $opinion Their improvemetns: $improvements Their comments: $comments END $mail = Mail::Internet-new(Header = $head, Body = [$body], Modify = 1); print $mail-send('sendmail'); You have not printed a header back to the browser, usually something like: Content-type:text/html\n\n, though again see the docs for the CGI module for easy ways to do this. end of cgi script. What I'm concern with is the execution of this script. I don't seem to be doing something right. Can someone correct on what it that missing. Usually the best way to find out problems with a CGI script is to check the server's error log, or use a 'fatalstobrowser' type of deal, see the CGI docs for this also... Thanks for the suggestions. Now I get totally different error. I ran this on the command line and get following: % ./survey.cgi Content-type: text/html Substitution replacement not terminated at ./survey.cgi line 37. Here is my code changes I've made: #!/usr/local/bin/perl use strict; user warnings; use CGI; use Mail::Internet; BEGIN { print Content-type: text/html\n\n; } # So we can debug using the web # Collect parameters using CGI my $customer = param(Customer); my $learn = param(Learn); my $opinion = param(Site Opinion); my $improvements = param(Site Iimprovement); my $comments = param(comments); my $head = Mail::Header-new; # add an error handler here for the above $head-add(From = 'Webmaster [EMAIL PROTECTED]'); $head-add(To = '[EMAIL PROTECTED]'); $head-add(Subject = 'Peggy's Health Center Survey Response'); # Build the body of your message my $body = END; The following information has been sent via form: Customer Type: $customer Where They Found US: $learn Site Opinion: $opinion Site Improvements: $improvements Comments: $comments END #Send the message $mail = Mail::Internet-new(Header = $head, Body= [$body], Modify = 1); print $mail-end('sendmail'); === End of Code === Any ideas why I'm getting that error: I'm using 5.8 version of perl and have an older version 5.005_03 that does the same thing. I appreciate the help. -- *** Phillip B. Bruce *** *** *** *** Politicians and diapers have one thing in common. *** *** They should both be changed regularly and for the *** *** same reason. *** *** *** -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: CGI Scripts
Phillip Bruce wrote: Wiggins d'Anconia wrote: snip Thanks for the suggestions. Now I get totally different error. I ran this on the command line and get following: % ./survey.cgi Content-type: text/html Substitution replacement not terminated at ./survey.cgi line 37. Here is my code changes I've made: #!/usr/local/bin/perl use strict; user warnings; In the above line you have 'user' instead of 'use' use CGI; use Mail::Internet; BEGIN { print Content-type: text/html\n\n; } # So we can debug using the web # Collect parameters using CGI my $customer = param(Customer); my $learn = param(Learn); my $opinion = param(Site Opinion); my $improvements = param(Site Iimprovement); my $comments = param(comments); my $head = Mail::Header-new; # add an error handler here for the above $head-add(From = 'Webmaster [EMAIL PROTECTED]'); $head-add(To = '[EMAIL PROTECTED]'); $head-add(Subject = 'Peggy's Health Center Survey Response'); In the above literal you have an embedded single quote which must be escaped or you need to change the quoting method. To escape a single quote in a single quoted literal throw a backslash before it... 'Peggy\'s Health Center Survey Response', that *should* be the reason it is failing # Build the body of your message my $body = END; The following information has been sent via form: Customer Type: $customer Where They Found US: $learn Site Opinion: $opinion Site Improvements: $improvements Comments: $comments END #Send the message $mail = Mail::Internet-new(Header = $head, Body= [$body], Modify = 1); print $mail-end('sendmail'); === End of Code === Any ideas why I'm getting that error: I'm using 5.8 version of perl and have an older version 5.005_03 that does the same thing. Stick with 5.8 unless you need the older version for some reason... http://danconia.org -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: CGI scripts permissions
On Wed, 25 Dec 2002 19:39:58 +, [EMAIL PROTECTED] (Philip Pawley) wrote: I'm a newbie, so the below is a question: Is this problem of cgi permissions different when you are just running a perl script from a virtual include - as I am? Reading this thread, I did some tests and changed my script's permissions to 500 and it still works fine. (I first did it just for a test script of course)! I am just an ordinary user (in my own group) on the web server. How is this possible? You probably have suexec running on the webserver. mode 500 means that the user can read and execute the script. Normally the httpd daemon will be nobody/nogroup, or something similarly underprivileged. With suexec, you are letting the httpd daemon run as user/users. I said that it has it's drawbacks. That's why if you do use it for something important, make a separate user just to run that cgi script. Here is a little test script to run: First run it and see what you get, then go and rename /usr/sbin/suexec to suexec.bak and restart apache. Then see what you get. ### #!/bin/sh echo Content-type: text/plain echo echo Username=`whoami` ### -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: CGI scripts permissions
On Wed, 25 Dec 2002 05:34:04 +0200, [EMAIL PROTECTED] (Octavian Rasnita) wrote: Yes I know these, but ... it seems there is no solution. 1. The web server is not in the same group with me, and if it will be made to stay in the same group with me, the other users that have web pages on that server will need to be added to that group. 2. I saw that I need to give read permission also for a script to work, not only execute permissions. The only solution would be to run the Apache server with my user, but I don't know how to do that. How is this possible? Apache has the suexec program to do this. If suexec is in the path when apache starts up, then the httpd will run as user when in the user's home directory. This has advantages and disadvantages, but it is easily done. Normally apache will run as wwwrun/nogroup or nobody/nogroup, with suexec, apache will run as user/users when in users public_html. You can then run scripts at mode 700. It usually is best to set aside a dedicated user just for some cgi-program. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: CGI scripts permissions
I'm a newbie, so the below is a question: Is this problem of cgi permissions different when you are just running a perl script from a virtual include - as I am? Reading this thread, I did some tests and changed my script's permissions to 500 and it still works fine. (I first did it just for a test script of course)! I am just an ordinary user (in my own group) on the web server. How is this possible? Thanks, Philip Pawley -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
CGI scripts permissions
Hello all, Please tell me what file permissions should I use for a CGI script. I don't want others users from that server to view the content of my scripts because they contain passwords for MySQL databases. If I chmod 755 the scripts, the other users will also be able to see the files. Can I deny other users to see the content of the cgi-bin directory (chmod 700) and chmod 755 only the files? Or, ... do I have other options? Thank you. Teddy, Teddy's Center: http://teddy.fcc.ro/ Email: [EMAIL PROTECTED] -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: CGI scripts permissions
Hi, At 24-12-2002 18:09 +0200, Octavian Rasnita wrote: Please tell me what file permissions should I use for a CGI script. chmod 755 Can I deny other users to see the content of the cgi-bin directory (chmod 700) and chmod 755 only the files? Put a index.cgi in your cgi-bin directory that routes the users to your homepage. I did this whith all my directories with no index.html in it. Begin index.cgi #!/usr/local/perl $detour = '/somedirectorie/welcom.html'; print Location: $detour\n; print Content-Type: text/html\n; print \n; End of index.cgi Any comments are welcome. Kind regards, Rene Verharen Please DO NOT reply to me personally. I'll get my copy from the list. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: CGI scripts permissions
This is going to depend somewhat on your setup, mainly what user the web server is running as and what group it might be in. You could probably set your script to be 710 if your web server is in the same group as you but not the same user as you. Or if you go to 711, then anyone can execute the script but not read it, except for the owner which may be what you want. The same essentially applies to teh directory, if the web server (owner/group) can't read the directory then it can't execute the script, so setting the directory to 700 with the web server running under a different owner/group will mean the script can't be run in a cgi context. So determine whether the web server is running as the same user as you, if so you can limit it to 700, if it is running as a different user in the same group, then 710 should do the trick, if it is a different user and group then you are looking at 711. There is a chance though I didn't think this was the case that the script also has to be readable, in which case you are looking at 750 or 755. 1st digit = user 2nd digit = group 3rd digit = all 1 = execute 2 = write 4 = read sum the permission values, 7 = (4+2+1) = read, write, execute 6 = read, write 5 = read, execute 4 = read 3 = write, execute 2 = write 1 = execute http://danconia.org On Tue, 24 Dec 2002 18:09:52 +0200, Octavian Rasnita [EMAIL PROTECTED] wrote: Hello all, Please tell me what file permissions should I use for a CGI script. I don't want others users from that server to view the content of my scripts because they contain passwords for MySQL databases. If I chmod 755 the scripts, the other users will also be able to see the files. Can I deny other users to see the content of the cgi-bin directory (chmod 700) and chmod 755 only the files? Or, ... do I have other options? Thank you. Teddy, Teddy's Center: http://teddy.fcc.ro/ Email: [EMAIL PROTECTED] -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: CGI scripts permissions
I assume you are connecting to a database? CGIs should have 500 permission and SHOULD NOT contain the password. Instead write a perl module which return the database_handle and put that together with the other modules (/usr/lib/perl5/5.8.0/). Then just call the module in your CGI script. Regards Richard KHOO Guan Chen On Tue, 24 Dec 2002, Octavian Rasnita wrote: Hello all, Please tell me what file permissions should I use for a CGI script. I don't want others users from that server to view the content of my scripts because they contain passwords for MySQL databases. If I chmod 755 the scripts, the other users will also be able to see the files. Can I deny other users to see the content of the cgi-bin directory (chmod 700) and chmod 755 only the files? Or, ... do I have other options? Thank you. Teddy, Teddy's Center: http://teddy.fcc.ro/ Email: [EMAIL PROTECTED] -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: CGI scripts permissions
No, I don't have a problem with the web page visitors but with the other users that have accounts on that server. They could use Telnet or SSH to view the files and directories. They can see all my files if they have 755 permissions. Teddy, Teddy's Center: http://teddy.fcc.ro/ Email: [EMAIL PROTECTED] - Original Message - From: Rene Verharen [EMAIL PROTECTED] To: Beginners-CGI List [EMAIL PROTECTED] Sent: Tuesday, December 24, 2002 7:44 PM Subject: Re: CGI scripts permissions Hi, At 24-12-2002 18:09 +0200, Octavian Rasnita wrote: Please tell me what file permissions should I use for a CGI script. chmod 755 Can I deny other users to see the content of the cgi-bin directory (chmod 700) and chmod 755 only the files? Put a index.cgi in your cgi-bin directory that routes the users to your homepage. I did this whith all my directories with no index.html in it. Begin index.cgi #!/usr/local/perl $detour = '/somedirectorie/welcom.html'; print Location: $detour\n; print Content-Type: text/html\n; print \n; End of index.cgi Any comments are welcome. Kind regards, Rene Verharen Please DO NOT reply to me personally. I'll get my copy from the list. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: CGI scripts permissions
Yes I know these, but ... it seems there is no solution. 1. The web server is not in the same group with me, and if it will be made to stay in the same group with me, the other users that have web pages on that server will need to be added to that group. 2. I saw that I need to give read permission also for a script to work, not only execute permissions. The only solution would be to run the Apache server with my user, but I don't know how to do that. How is this possible? In other cases, the security of CGI scripts is 0. Thank you. Teddy, Teddy's Center: http://teddy.fcc.ro/ Email: [EMAIL PROTECTED] - Original Message - From: [EMAIL PROTECTED] To: Octavian Rasnita [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, December 24, 2002 7:56 PM Subject: RE: CGI scripts permissions This is going to depend somewhat on your setup, mainly what user the web server is running as and what group it might be in. You could probably set your script to be 710 if your web server is in the same group as you but not the same user as you. Or if you go to 711, then anyone can execute the script but not read it, except for the owner which may be what you want. The same essentially applies to teh directory, if the web server (owner/group) can't read the directory then it can't execute the script, so setting the directory to 700 with the web server running under a different owner/group will mean the script can't be run in a cgi context. So determine whether the web server is running as the same user as you, if so you can limit it to 700, if it is running as a different user in the same group, then 710 should do the trick, if it is a different user and group then you are looking at 711. There is a chance though I didn't think this was the case that the script also has to be readable, in which case you are looking at 750 or 755. 1st digit = user 2nd digit = group 3rd digit = all 1 = execute 2 = write 4 = read sum the permission values, 7 = (4+2+1) = read, write, execute 6 = read, write 5 = read, execute 4 = read 3 = write, execute 2 = write 1 = execute http://danconia.org On Tue, 24 Dec 2002 18:09:52 +0200, Octavian Rasnita [EMAIL PROTECTED] wrote: Hello all, Please tell me what file permissions should I use for a CGI script. I don't want others users from that server to view the content of my scripts because they contain passwords for MySQL databases. If I chmod 755 the scripts, the other users will also be able to see the files. Can I deny other users to see the content of the cgi-bin directory (chmod 700) and chmod 755 only the files? Or, ... do I have other options? Thank you. Teddy, Teddy's Center: http://teddy.fcc.ro/ Email: [EMAIL PROTECTED] -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: CGI scripts permissions
I can't do that because I am not the root of that server. I am just a simple user like all other users and I don't wantthem see my files. Thank you. Teddy, Teddy's Center: http://teddy.fcc.ro/ Email: [EMAIL PROTECTED] - Original Message - From: Richard KHOO Guan Chen [EMAIL PROTECTED] To: Octavian Rasnita [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, December 25, 2002 3:24 AM Subject: Re: CGI scripts permissions I assume you are connecting to a database? CGIs should have 500 permission and SHOULD NOT contain the password. Instead write a perl module which return the database_handle and put that together with the other modules (/usr/lib/perl5/5.8.0/). Then just call the module in your CGI script. Regards Richard KHOO Guan Chen On Tue, 24 Dec 2002, Octavian Rasnita wrote: Hello all, Please tell me what file permissions should I use for a CGI script. I don't want others users from that server to view the content of my scripts because they contain passwords for MySQL databases. If I chmod 755 the scripts, the other users will also be able to see the files. Can I deny other users to see the content of the cgi-bin directory (chmod 700) and chmod 755 only the files? Or, ... do I have other options? Thank you. Teddy, Teddy's Center: http://teddy.fcc.ro/ Email: [EMAIL PROTECTED] -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: CGI scripts permissions
Octavian Rasnita [EMAIL PROTECTED] wrote in message 002901c2abd3$c17cdcb0$[EMAIL PROTECTED]">news:002901c2abd3$c17cdcb0$[EMAIL PROTECTED]... Yes I know these, but ... it seems there is no solution. 1. The web server is not in the same group with me, and if it will be made to stay in the same group with me, the other users that have web pages on that server will need to be added to that group. 2. I saw that I need to give read permission also for a script to work, not only execute permissions. The only solution would be to run the Apache server with my user, but I don't know how to do that. How is this possible? You need a host that runs some type of setuid wrapper around the CGI program. heres something I noted for the group awhile back: http://groups.google.com/groups?threadm=3DACCC0E.7010903%40uakron.edu Todd W. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
cgi scripts and a crashing server:advice needed
Hi list, 2 Right, I have a few (6 to be exact) cgi scripts that run (not at the same time) on our web server, all 6 do a variety of different things like parsing data from a csv file and creating a suitable output html format and redirecting to other pages. Our server has crashed and there seems to be a general consensus that the number of scripts being run is causing the problem as the server also runs a Content Management System alongside. I've gone through my scripts to see if I've done anything silly, but the most advanced of all the scripts simply opens a csv file and parses it...i usually have other cgi scripts that use the csv file for validating the data, but I have closed each filehandle... Can anyone think of what types of problems very basic cgi scripts can cause on a server? Thanx Ben __ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos More http://faith.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: cgi scripts and a crashing server:advice needed
not sure if anyone has asked. What kind of server and what do the logs say? --chad On Thu, 2002-10-10 at 11:56, Ben Crane wrote: Hi list, 2 Right, I have a few (6 to be exact) cgi scripts that run (not at the same time) on our web server, all 6 do a variety of different things like parsing data from a csv file and creating a suitable output html format and redirecting to other pages. Our server has crashed and there seems to be a general consensus that the number of scripts being run is causing the problem as the server also runs a Content Management System alongside. I've gone through my scripts to see if I've done anything silly, but the most advanced of all the scripts simply opens a csv file and parses it...i usually have other cgi scripts that use the csv file for validating the data, but I have closed each filehandle... Can anyone think of what types of problems very basic cgi scripts can cause on a server? Thanx Ben __ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos More http://faith.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Chad Kellerman Jr. Systems Administrator Alabanza Inc 410-234-3305 signature.asc Description: This is a digitally signed message part
Re: cgi scripts and a crashing server:advice needed
Ben Crane wrote: Hi list, 2 Right, I have a few (6 to be exact) cgi scripts that run (not at the same time) on our web server, all 6 do a variety of different things like parsing data from a csv file and creating a suitable output html format and redirecting to other pages. Our server has crashed and there seems to be a general consensus that the number of scripts being run is causing the problem as the server also runs a Content Management System alongside. I've gone through my scripts to see if I've done anything silly, but the most advanced of all the scripts simply opens a csv file and parses it...i usually have other cgi scripts sometimes, it's not how advance or complicated a script that could cause problem, it's how understandable you are as to what those scripts does. for example, your cgi scripts can be very simple but if you have lines like: my @data = FILEHANDLE; or: if(/$reg/o){ #-- do something } or stuff like that, your script will appear to be working most of the time but it might fail once a while depends on what really came in. you should look for those in your cgi scripts for anything that's obvious. that use the csv file for validating the data, but I have closed each filehandle... Can anyone think of what types of problems very basic cgi scripts can cause on a server? you could be right that your server might be overloaded but it's really hard to tell except you are willing to tell us more about the platform, server, your cgi scripts... etc before anyone can tell you what really cause the problem david -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Passing values through 2 different CGI scripts
Hi List, I have an online web map created through mapinfo-when you click on a part of the JPEG image it loads a CGI script and passes a unique 12 digit number which then identifies where on the map it is. After the road/point has been selected and the cgi script has returned the location-it then prompts the user to confirm whether this is the correct location to report a problem...which then passes them on to a form linked to an email CGI form. My problem: How do I pass the 12 digit number from the first cgi form to the online html form to the email cgi program? Thanx Ben __ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos More http://faith.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Passing values through 2 different CGI scripts
If you are generating the email CGI form on the fly, you can pass the number as a hidden INPUT field : eg: form xxx, action= , method= ... INPUT fields as needed input type=hidden name=ID value=123456789123 /form Hope it helps. Ben Crane a écrit : Hi List, I have an online web map created through mapinfo-when you click on a part of the JPEG image it loads a CGI script and passes a unique 12 digit number which then identifies where on the map it is. After the road/point has been selected and the cgi script has returned the location-it then prompts the user to confirm whether this is the correct location to report a problem...which then passes them on to a form linked to an email CGI form. My problem: How do I pass the 12 digit number from the first cgi form to the online html form to the email cgi program? Thanx Ben __ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos More http://faith.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Best Practices for Debugging and Error Handling in CGI Scripts?
Can anyone list some resources or methods they use for debugging (Perl) CGI scripts. How can I use CGI::Carp most effectively? Does anyone have any recommended practices for graceful CGI error handling? Is this something that should be built in a custom module for my site? Sorry if these are softball questions. Cheers, D. Simcik -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Using perl cgi scripts to print
Does anyone know how to print generic text to a remote printer on a local lan? I can print text to the printer from Xwindows, but I don't have a clue as to how to print to same printer with a cgi script. I am also using samba to connect my linux box to 3 windows98 boxes via a router. Thanks in advance Brian Bratcher [EMAIL PROTECTED] -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
CGI scripts in Perl
I have Microsoft Personal Web Server on my local machine. My perl scripts run fine from the command line. When I try to run them from cgi-bin within INetpub/wwwroot, they fail raising the HTTP/1.1 500 Server Error. Any ideas? - NP _ Join the worlds largest e-mail service with MSN Hotmail. http://www.hotmail.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: CGI scripts in Perl
Visit this URL and configure your machine accordingly. http://support.microsoft.com/default.aspx?scid=kb;EN-US;q150629 -- Rex -Original Message- From: Naveen Parmar [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 08, 2002 1:39 PM To: [EMAIL PROTECTED] Subject: CGI scripts in Perl I have Microsoft Personal Web Server on my local machine. My perl scripts run fine from the command line. When I try to run them from cgi-bin within INetpub/wwwroot, they fail raising the HTTP/1.1 500 Server Error. Any ideas? - NP _ Join the world's largest e-mail service with MSN Hotmail. http://www.hotmail.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Cgi scripts not running...
Chris, I am working within a small network (10 computers). I am trying to create a form that people can access through the f: (global drive). They will fill in this form, and the results will be processed by my script, and emailed to me. I have installed activeperl in the f drivebut I cannot seem to get any scripts to run in the intranet...any suggestions? We are running Netware 4.11 as the server. Is the computer that runs the scripts (on f: drive) the server? Is it a file-server or a web-server? (It needs to be a web-server). When you view the webpages with the forms, is it across the network, or through the web-server? Try setting the f: drive on the web-server as a virtual domain. i.e. so you don't browse to Network\Server\F:\index.html (or whatever) but you browse to http://virtual-server/index.html -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Cgi scripts not running...
Hello all, I am working within a small network (10 computers). I am trying to create a form that people can access through the f: (global drive). They will fill in this form, and the results will be processed by my script, and emailed to me. I have installed activeperl in the f drivebut I cannot seem to get any scripts to run in the intranet...any suggestions? We are running Netware 4.11 as the server. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Cant run CGI Scripts?
Sorry for the 'newbie' question, but I am going bald from pulling my hair out, so I had to ask some people with brains... I am trying to run a CGI script on an Intranet. Basically the user opens a form in the intranet and when they submit it a modified copy (ie slightly different layout) is sent to someone (offsite) and the info in the form is saved to a text file. I have written all the code, but I cannot get the script to run on the intranet. I am running Perl 5.6 form activestate, and the Intranet is being handled with Novell Netware. I have been asked if it is a file server or a web server...not really sure, but the address of the Intranet home page is 192.168.68.1 (seems web-ish to me?). If anyone has experience running CGI on an Intranet I would really appreciate some help. Thanks in advance for your help, and in retreat for all the help that I have found from previous posts on this list :) Chris
Re: Cant run CGI Scripts?
Hey Chris, I am not very familiar with Novell, but I don't think it is a webserver. Apache is an excellent server though and it is free at apache.org. Not to mention the docs are very good, they have a version for almost every platform, and there is a ton of help on the web for it. But no matter what, you will need a web server of some sort before you can view your scripts in a browser. As far as 192.168.xxx.xxx, it is my understanding that this address range is really used customarily for LAN/intranet use, and not 'net' use (but I could be wrong...) Shawn - Original Message - From: Chris Zampese [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, December 18, 2001 7:44 PM Subject: Cant run CGI Scripts? Sorry for the 'newbie' question, but I am going bald from pulling my hair out, so I had to ask some people with brains... I am trying to run a CGI script on an Intranet. Basically the user opens a form in the intranet and when they submit it a modified copy (ie slightly different layout) is sent to someone (offsite) and the info in the form is saved to a text file. I have written all the code, but I cannot get the script to run on the intranet. I am running Perl 5.6 form activestate, and the Intranet is being handled with Novell Netware. I have been asked if it is a file server or a web server...not really sure, but the address of the Intranet home page is 192.168.68.1 (seems web-ish to me?). If anyone has experience running CGI on an Intranet I would really appreciate some help. Thanks in advance for your help, and in retreat for all the help that I have found from previous posts on this list :) Chris -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Cant run CGI Scripts?
I do know that Novell is a fileserver network, and that's about all. You need Windows or UNIX/Linux/BSD to run Apache Server. - Original Message - From: Shawn [EMAIL PROTECTED] To: Chris Zampese [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, December 18, 2001 6:25 PM Subject: Re: Cant run CGI Scripts? Hey Chris, I am not very familiar with Novell, but I don't think it is a webserver. Apache is an excellent server though and it is free at apache.org. Not to mention the docs are very good, they have a version for almost every platform, and there is a ton of help on the web for it. But no matter what, you will need a web server of some sort before you can view your scripts in a browser. As far as 192.168.xxx.xxx, it is my understanding that this address range is really used customarily for LAN/intranet use, and not 'net' use (but I could be wrong...) Shawn - Original Message - From: Chris Zampese [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, December 18, 2001 7:44 PM Subject: Cant run CGI Scripts? Sorry for the 'newbie' question, but I am going bald from pulling my hair out, so I had to ask some people with brains... I am trying to run a CGI script on an Intranet. Basically the user opens a form in the intranet and when they submit it a modified copy (ie slightly different layout) is sent to someone (offsite) and the info in the form is saved to a text file. I have written all the code, but I cannot get the script to run on the intranet. I am running Perl 5.6 form activestate, and the Intranet is being handled with Novell Netware. I have been asked if it is a file server or a web server...not really sure, but the address of the Intranet home page is 192.168.68.1 (seems web-ish to me?). If anyone has experience running CGI on an Intranet I would really appreciate some help. Thanks in advance for your help, and in retreat for all the help that I have found from previous posts on this list :) Chris -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Cant run CGI Scripts?
First problem you have is trying to run script on something like Novell Netware. It is a network server, not a web server. I made another reply regarding this. CGI requires an OS such as Windows, Linux/UNIX/BSD/Solaris?(I'm not familiar with Solaris), and so on. - Original Message - From: Chris Zampese [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, December 18, 2001 5:44 PM Subject: Cant run CGI Scripts? Sorry for the 'newbie' question, but I am going bald from pulling my hair out, so I had to ask some people with brains... I am trying to run a CGI script on an Intranet. Basically the user opens a form in the intranet and when they submit it a modified copy (ie slightly different layout) is sent to someone (offsite) and the info in the form is saved to a text file. I have written all the code, but I cannot get the script to run on the intranet. I am running Perl 5.6 form activestate, and the Intranet is being handled with Novell Netware. I have been asked if it is a file server or a web server...not really sure, but the address of the Intranet home page is 192.168.68.1 (seems web-ish to me?). If anyone has experience running CGI on an Intranet I would really appreciate some help. Thanks in advance for your help, and in retreat for all the help that I have found from previous posts on this list :) Chris -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: CGI scripts security
Jonathan wrote: I don't think the shell is called to resolve the /home/users/me/web/$in {'NAME'}.ext bit, and therefore you cannot run commands with it. Randal wrote: It would be if $in{NAME} contained |\0. NULL characters terminate the string, and if | appears just before that, bingo, it's a shell command, not a file open. Trivial to get: /cgi-bin/yourscript?NAME=%7C%00 All that's needed now is to make that \n/evil/command|\0 instead. I'll leave that up to the guy that's about to visit your site. :) Ah, now there's one I forgot about. AFAIK Perl handles null characters perfectly (8 bit clean :), but many programs based on C aren't (not properly checked). It's fine UNTIL perl uses it externally... might be good to try, just in case Perl's magic does something about it. Did anyone mention Taint mode? It's really not that hard. Going back to the original problem, I suggest you don't use the filesystem at all. A database might be safer in this instance, and would be my preferred solution. Creating files based on unchecked (anonymous) user input just seems stupid to me. Alternatively setup the script in a chroot enviroment, which is a little safer. However, if it makes coding easier, and you can afford a few hacks once and a while why not try tripwire - at least you'll know when things have been changed. (Bad advice... fix the real problem before looking at security tools). Jonathan Paton __ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: CGI scripts security
Jonathan == Jonathan e paton [EMAIL PROTECTED] writes: Jonathan I don't think the shell is called to resolve the Jonathan /home/users/me/web/$in{'NAME'}.ext bit, and therefore Jonathan you cannot run commands with it. It would be if $in{NAME} contained |\0. NUL characters terminate the string, and if | appears just before that, bingo, it's a shell command, not a file open. Trivial to get: /cgi-bin/yourscript?NAME=%7C%00 All that's needed now is to make that \n/evil/command|\0 instead. I'll leave that up to the guy that's about to visit your site. :) Never trust CGI params. Never trust CGI params. Never trust CGI params. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 [EMAIL PROTECTED] URL:http://www.stonehenge.com/merlyn/ Perl/Unix/security consulting, Technical writing, Comedy, etc. etc. See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training! -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: CGI scripts security
Kevin == Kevin Meltzer [EMAIL PROTECTED] writes: Kevin Never trust anyone over 30 Presuming that's in Hex, sure. :) -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 [EMAIL PROTECTED] URL:http://www.stonehenge.com/merlyn/ Perl/Unix/security consulting, Technical writing, Comedy, etc. etc. See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training! -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: CGI scripts security
Jonathan E. Paton [EMAIL PROTECTED] wrote: something like opening a file, but can somebody show me how example below can compromise my website? open(F, /home/users/me/web/$in{'NAME'}.ext); What if $in{'NAME'} started with ../../../../tmp/? Now, if in the tmp directory a link was created with that file extension, then they could open anything according to your scripts permissions. Scary, but not far fetched - it's a frequently exploited idea. That's true but this is not of my primary concern(there are no crackers with telnet access to the site :)). I'm thinking more of other scary possibility, that web visitors can execute commands abusing ';' or '|'. Does something like '; rm * ;' can actually execute? (note suffix '.ext') Not in this instance, $in{'NAME'} must result in a string, Yes %in is filled with parsed user variables, so I'm safe than, huh? :) it can't magically turn into a subroutine call... unless it's a tied hash - which you'd definately know about. No, actually I don't, could you point me somewhere to perldoc? At the top of your script use: #!/usr/bin/perl -wT This code won't even work, since it'll be reported as insecure. When you've worked that bit out, you'll be back for a way of untainting your data ;-) We'll be waiting! Tnx, I've read somewhere about -T switch but right now don't have time to toy with, variable filtering works nicely. -- Matija -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: CGI scripts security
Jonathan E. Paton [EMAIL PROTECTED] wrote: something like opening a file, but can somebody show me how example below can compromise my website? open(F, /home/users/me/web/$in{'NAME'}.ext); What if $in{'NAME'} started with ../../../../tmp/? Now, if in the tmp directory a link was created with that file extension, then they could open anything according to your scripts permissions. Scary, but not far fetched - it's a frequently exploited idea. That's true but this is not of my primary concern (there are no crackers with telnet access to the site :)) That'd make your script a possible target for further defeating your security. Since it probably runs as nobody then it's unlikely it can benefit a hacker. Getting that telnet account is probably quite hard, on an appropriately secured box anyway. However, the fact that this *could* be exploited means that you shouldn't overlook it... unless the overall security and importance of that server isn't that high anyway - on an intranet for example. I'm thinking more of other scary possibility, that web visitors can execute commands abusing ';' or '|'. Does something like '; rm * ;' can actually execute? (note suffix '.ext') Not in this instance, $in{'NAME'} must result in a string, Yes %in is filled with parsed user variables, so I'm safe than, huh? :) I don't think the shell is called to resolve the /home/users/me/web/$in{'NAME'}.ext bit, and therefore you cannot run commands with it. Then again, I might be completely wrong. Read: perldoc perlopentut perldoc -f open It can't magically turn into a subroutine call... unless it's a tied hash - which you'd definately know about. No, actually I don't, could you point me somewhere to perldoc? A tied hash is magic, it makes an object look like a mere hash. When you access the hash in any way it calls methods (subroutines) of the object. It's not a security risk as such, and only a side interest. Documentation is at: perldoc perltie At the top of your script use: #!/usr/bin/perl -wT This code won't even work, since it'll be reported as insecure. When you've worked that bit out, you'll be back for a way of untainting your data ;-) We'll be waiting! Tnx, I've read somewhere about -T switch but right now don't have time to toy with, variable filtering works nicely. -T is for taint mode, the draconian approach to secure programming. It 'taints' data which comes from outsite the script, and forces you to 'untaint' it using regular expressions. Worth learning, if security matters. perldoc perlsec Jonathan Paton __ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
CGI scripts security
I've read docs on security and I'm aware of that all user variables should be checked before doing something like opening a file, but can somebody show me how example below can compromise my website? open(F, /home/users/me/web/$in{'NAME'}.ext); Does something like '; rm * ;' can actually execute?(note suffix '.ext') tnx! -- Matija -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: CGI scripts security
Hi, I've read docs on security and I'm aware of that all user variables should be checked before doing something like opening a file, but can somebody show me how example below can compromise my website? open(F, /home/users/me/web/$in{'NAME'}.ext); What if $in{'NAME'} started with ../../../../tmp/? Now, if in the tmp directory a link was created with that file extension, then they could open anything according to your scripts permissions. Scary, but not far fetched - it's a frequently exploited idea. Does something like '; rm * ;' can actually execute? (note suffix '.ext') Not in this instance, $in{'NAME'} must result in a string, it can't magically turn into a subroutine call... unless it's a tied hash - which you'd definately know about. At the top of your script use: #!/usr/bin/perl -wT This code won't even work, since it'll be reported as insecure. When you've worked that bit out, you'll be back for a way of untainting your data ;-) We'll be waiting! Jonathan Paton __ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: securing sensitive information in CGI scripts
Hi all, I actually combine both of these suggestions. I have my passwords stored seperately. In fact, I tend to put ALL database functions in one perl module or PHP include file outsite the docroot. It adds an extra level of abstraction when I'm writing my CGI/PHP code. It also means that if I change anything in the database - move machines, change the schema, move to mysql (god forbid) - I only have two files to edit. I then use the firewall approach too. Most firewalls have three zones; green trusted, amber DMZ, and red public. I have my firewall configured so that I only allow port 80 from red to amber, and 5432 from amber to green. Gary On Wednesday 05 September 2001 3:13 am, Gunther Birznieks wrote: At 10:34 AM 9/4/2001 +, Mel Matsuoka wrote: At 07:20 PM 09/04/2001 +0100, yahoo wrote: Hi all, I'd like to find out peoples opinion on the following. If you have a perl cgi script which accesses a database, are there any security issues with having the DBI connection details in the perl script (rather than, say, an external file not in the document root - is this better?)? My general policy regarding things like this is, the more paranoid you are , the better :) Having password information embedded in a publicly accessible document such as a CGI script is playing with fire, as far as I'm concerned. There may be a time when you least expect it when someone (or you) screws up the webserver config, and accidentally allows cgi-scripts to be sent out as plaintext documents. Ouch. That's why for all of my Perl and PHP scripts, I include the database server connection details using an include file which is saved outside of the webserver root. Of course, this isn't 100% secure, since anyone who has local filesystem access to the server can still get at the information, but then again, if someone has achieved that level of access, you have bigger problems than worrying about your DBI include files and CGI scripts ;) You can even go one step further, in banking practices, you typically never access the database directly anyway from a CGI. Instead you have a multi-DMZ (well DMZ isn't the exact right term) but multi-partitioned architecture so that if someone does break into the web server they still do not have direct access to the database. Something like Internet - Firewall - WebServer - Firewall - App Server - FW - DB Server Each major server essentially being controlled by dual homed hosts on separate subnets with the network interface on the firewall only controlling a single direction of traffic to the server in question. Of course, most normal people can't afford this and make do with chrooting and running on a dedicated host with a linux IP Tables firewall on one single machine even if they go dedicated. As an aside, eXtropia has an open source toolkit which allows this higher level of indirection without any application logic programming. The abstraction is called Extropia::DataSource (written in Perl) and for this abstraction we have DataSource::File (For flat file) and DataSource::DBI (for DBI). But if you require stronger security (like the above approach), you can use our DataSource::SOAP which talks to a Java Servlet container (as the app server eg Jakarta-Tomcat) running code from the Apache SOAP Project as the infrastructure and then on top of it, our com.eXtropia.datasource.soap.SoapDataSource package wrapped around our com.eXtropia.datasource.SecureDataSource API. The SecureDataSource API allows you to restrict permissions in a way very similar to how permissions are restricted using grant statements on SQL and in addition the password to the database is stored in the middleware server (breaking into the webserver does not grant access). The other cool thing about this is that most servlet containers also handle JDBC connection pooling for you (an additional performance boost which makes the performance lag introducing a middleware server more reasonable). Of course, you can go even farther than this. Obviously the best middleware server will contain the equivalent of stored procedures which tightly restrict in a typed concept, what sort of data may pass into it and out of it (as opposed to essentially arbitrary queries). Later, Gunther -- Gary Stainburn This email does not contain private or confidential material as it may be snooped on by interested government parties for unknown and undisclosed purposes - Regulation of Investigatory Powers Act, 2000 -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Extened - Re: securing sensitive information in CGI scripts
This is a very different security question. Basically I think there are two major classes of solution. One is based on randomness and the other is based on a harder core ACL check in the CGI itself and requires the CGI control access to the file more tightly. In Detail: One way which isn't the most secure is to generate random directories to place these files in and then put the file in these random directory names for download. Unless a hacker guesses correctly (eg use an MD5 hash is pretty strong) which is unlikely, they won't be able to get a file of someone else's without knowing the session key. This is subject to brute force checking and is potentially breakable through other means. The more secure way is to store the file outside the document tree and check a database to see if the authorized user can access that particular uploaded file. If so, then the CGI program itself should open the file and present it back to the user. Otherwise, no dice. At 10:32 AM 9/5/2001 +0800, Rajeev Rumale wrote: Greetings to all, This is really a good thread we have. How ever as the title is not restricting to database security. I would like to add my concern to it. I need to store some uploaded files from the visitors into some directories which are inside website root. Since the files submited are confidential info We need to protect it from people directly accessing the files depending upon the ownership rights (the actual owner, site admin, site operator, other authorised user). Any suggestions for same . Thanking in advance. Rajeev Rumale -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Gunther Birznieks ([EMAIL PROTECTED]) eXtropia - The Open Web Technology Company http://www.eXtropia.com/ -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Extened - Re: securing sensitive information in CGI scripts
--- Rajeev Rumale [EMAIL PROTECTED] wrote: I need to store some uploaded files from the visitors into some directories which are inside website root. Rajeev, Why do you need to store them there? If you can answer that for us, we can give you much better advice on how to secure it. Cheers, Curtis Ovid Poe = Senior Programmer Onsite! Technology (http://www.onsitetech.com/) Ovid on http://www.perlmonks.org/ __ Do You Yahoo!? Get email alerts NEW webcam video instant messaging with Yahoo! Messenger http://im.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Extened - Re: securing sensitive information in CGI scripts
Why do you need to store them there? If you can answer that for us, we can give you much better advice on how to secure it. Good point I should have included in the question itself. Well many time we don't get acess to directries outside the website root. Expecially in case of shared servers. Regards Rajeev - Original Message - From: Curtis Poe [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, September 05, 2001 11:53 PM Subject: Re: Extened - Re: securing sensitive information in CGI scripts --- Rajeev Rumale [EMAIL PROTECTED] wrote: I need to store some uploaded files from the visitors into some directories which are inside website root. Rajeev, Why do you need to store them there? If you can answer that for us, we can give you much better advice on how to secure it. Cheers, Curtis Ovid Poe = Senior Programmer Onsite! Technology (http://www.onsitetech.com/) Ovid on http://www.perlmonks.org/ __ Do You Yahoo!? Get email alerts NEW webcam video instant messaging with Yahoo! Messenger http://im.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: securing sensitive information in CGI scripts
In article [EMAIL PROTECTED], [EMAIL PROTECTED] (Brett W. McCoy) wrote: You've killed any security also if you don't remove backup files from your web space. emacs, for instance, creates files appended with ~, and people forget to delete them (or create a cron job that does it). Big hole there. hoepfully the webserver is configured not to serve up those files. :) At the very least, files included in a script that contain sensitive information should be kept away from the document root of your webserver. absolutely. -- brian d foy [EMAIL PROTECTED] - Perl services for hire CGI Meta FAQ - http://www.perl.org/CGI_MetaFAQ.html Troubleshooting CGI scripts - http://www.perl.org/troubleshooting_CGI.html -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
securing sensitive information in CGI scripts
Hi all, I'd like to find out peoples opinion on the following. If you have a perl cgi script which accesses a database, are there any security issues with having the DBI connection details in the perl script (rather than, say, an external file not in the document root - is this better?)? What do you think? regards Joel _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: securing sensitive information in CGI scripts
At 07:20 PM 09/04/2001 +0100, yahoo wrote: Hi all, I'd like to find out peoples opinion on the following. If you have a perl cgi script which accesses a database, are there any security issues with having the DBI connection details in the perl script (rather than, say, an external file not in the document root - is this better?)? My general policy regarding things like this is, the more paranoid you are , the better :) Having password information embedded in a publicly accessible document such as a CGI script is playing with fire, as far as I'm concerned. There may be a time when you least expect it when someone (or you) screws up the webserver config, and accidentally allows cgi-scripts to be sent out as plaintext documents. Ouch. That's why for all of my Perl and PHP scripts, I include the database server connection details using an include file which is saved outside of the webserver root. Of course, this isn't 100% secure, since anyone who has local filesystem access to the server can still get at the information, but then again, if someone has achieved that level of access, you have bigger problems than worrying about your DBI include files and CGI scripts ;) Aloha, mel -- mel matsuokaHawaiian Image Productions Chief Executive Alphageek (vox)1.808.531.5474 [EMAIL PROTECTED] (fax)1.808.526.4040 -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: securing sensitive information in CGI scripts
At 10:34 AM 9/4/2001 +, Mel Matsuoka wrote: At 07:20 PM 09/04/2001 +0100, yahoo wrote: Hi all, I'd like to find out peoples opinion on the following. If you have a perl cgi script which accesses a database, are there any security issues with having the DBI connection details in the perl script (rather than, say, an external file not in the document root - is this better?)? My general policy regarding things like this is, the more paranoid you are , the better :) Having password information embedded in a publicly accessible document such as a CGI script is playing with fire, as far as I'm concerned. There may be a time when you least expect it when someone (or you) screws up the webserver config, and accidentally allows cgi-scripts to be sent out as plaintext documents. Ouch. That's why for all of my Perl and PHP scripts, I include the database server connection details using an include file which is saved outside of the webserver root. Of course, this isn't 100% secure, since anyone who has local filesystem access to the server can still get at the information, but then again, if someone has achieved that level of access, you have bigger problems than worrying about your DBI include files and CGI scripts ;) You can even go one step further, in banking practices, you typically never access the database directly anyway from a CGI. Instead you have a multi-DMZ (well DMZ isn't the exact right term) but multi-partitioned architecture so that if someone does break into the web server they still do not have direct access to the database. Something like Internet - Firewall - WebServer - Firewall - App Server - FW - DB Server Each major server essentially being controlled by dual homed hosts on separate subnets with the network interface on the firewall only controlling a single direction of traffic to the server in question. Of course, most normal people can't afford this and make do with chrooting and running on a dedicated host with a linux IP Tables firewall on one single machine even if they go dedicated. As an aside, eXtropia has an open source toolkit which allows this higher level of indirection without any application logic programming. The abstraction is called Extropia::DataSource (written in Perl) and for this abstraction we have DataSource::File (For flat file) and DataSource::DBI (for DBI). But if you require stronger security (like the above approach), you can use our DataSource::SOAP which talks to a Java Servlet container (as the app server eg Jakarta-Tomcat) running code from the Apache SOAP Project as the infrastructure and then on top of it, our com.eXtropia.datasource.soap.SoapDataSource package wrapped around our com.eXtropia.datasource.SecureDataSource API. The SecureDataSource API allows you to restrict permissions in a way very similar to how permissions are restricted using grant statements on SQL and in addition the password to the database is stored in the middleware server (breaking into the webserver does not grant access). The other cool thing about this is that most servlet containers also handle JDBC connection pooling for you (an additional performance boost which makes the performance lag introducing a middleware server more reasonable). Of course, you can go even farther than this. Obviously the best middleware server will contain the equivalent of stored procedures which tightly restrict in a typed concept, what sort of data may pass into it and out of it (as opposed to essentially arbitrary queries). Later, Gunther -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Extened - Re: securing sensitive information in CGI scripts
Greetings to all, This is really a good thread we have. How ever as the title is not restricting to database security. I would like to add my concern to it. I need to store some uploaded files from the visitors into some directories which are inside website root. Since the files submited are confidential info We need to protect it from people directly accessing the files depending upon the ownership rights (the actual owner, site admin, site operator, other authorised user). Any suggestions for same . Thanking in advance. Rajeev Rumale -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: securing sensitive information in CGI scripts
On Tue, 4 Sep 2001, Mel Matsuoka wrote: Having password information embedded in a publicly accessible document such as a CGI script is playing with fire, as far as I'm concerned. There may be a time when you least expect it when someone (or you) screws up the webserver config, and accidentally allows cgi-scripts to be sent out as plaintext documents. Ouch. You've killed any security also if you don't remove backup files from your web space. emacs, for instance, creates files appended with ~, and people forget to delete them (or create a cron job that does it). Big hole there. At the very least, files included in a script that contain sensitive information should be kept away from the document root of your webserver. -- Brett http://www.chapelperilous.net/ Those who don't know, talk. Those who don't talk, know. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
question regarding CGI scripts
Hi, I have installed Apache webserver on my windows 2000 platform and tried to execute some CGI scripts written in PERL. But even if i try to execute simple CGI program iam getting 500, internal server error. I have changed the httpd.conf file and made the following changes to enable it for running CGI scripts. ScriptAlias /cgi-bin/ C:/Program Files/Apache Group/Apache/cgi-bin/ AddHandler cgi-script .cgi AddType text/html .shtml AddHandler server-parsed .shtml I have checked the server log messages. Each time if i tried to execute the script iam getting the following error message in the server log [Mon Aug 27 14:33:37 2001] [error] [client 127.0.0.1] (2)No such file or directory: couldn't spawn child process: c:/program files/apache group/apache/cgi-bin/script.cgi. Can anyone help me to configer the apache to run cgi scripts. Thanks Maruti Kapa _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: question regarding CGI scripts
What is the 1st line of your Perl scripts? Should be #!c:\Program Files\Perl\bin\perl.exe -Tw or whatever your path to the executable is... -Original Message- From: mp kapa [mailto:[EMAIL PROTECTED]] Sent: Monday, August 27, 2001 2:29 PM To: [EMAIL PROTECTED] Subject: question regarding CGI scripts Hi, I have installed Apache webserver on my windows 2000 platform and tried to execute some CGI scripts written in PERL. But even if i try to execute simple CGI program iam getting 500, internal server error. I have changed the httpd.conf file and made the following changes to enable it for running CGI scripts. ScriptAlias /cgi-bin/ C:/Program Files/Apache Group/Apache/cgi-bin/ AddHandler cgi-script .cgi AddType text/html .shtml AddHandler server-parsed .shtml I have checked the server log messages. Each time if i tried to execute the script iam getting the following error message in the server log [Mon Aug 27 14:33:37 2001] [error] [client 127.0.0.1] (2)No such file or directory: couldn't spawn child process: c:/program files/apache group/apache/cgi-bin/script.cgi. Can anyone help me to configer the apache to run cgi scripts. Thanks Maruti Kapa _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: automatic cgi scripts?
If you have no access to cron on your server and if your site is getting a reasonable number of hits, place a link to the script on your home page. Every time it runs it checks the time and if past 0800 hours runs your commands and sets a flag in a file to avoid running the command multiple times on the same day. On Sat, 12 May 2001 15:24:03 +0200, [EMAIL PROTECTED] (Jan Gehring) wrote: You must du that with cronjobs. mfg jan - Original Message - From: Sanchit Bhatnagar [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, January 01, 1999 2:35 AM Subject: automatic cgi scripts? Hi, Is there any way to automatically execute a cgi script in un*x on a preset delay, say for ex. once every day at 0800hrs.? thanks, san. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
How to profile CGI scripts?
Disclaimer: I've read the docs, talked to several folks, and played around with the scripts, but I must be missing something. I'd like to get the tmon.out file output from the -d:DProf flag when my CGI scripts execute remotely on the web server that I'm developing on, but whenever I add the '-d:DProf' flag in the shebang line, I get a 500 Internal Server Error. I've also tried setting the 'PERL_DPROF_OUT_FILE_NAME' environment variable in a BEGIN block. Any thoughts? Thanks in advance, Jason -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to profile CGI scripts?
--- Jason Purdy [EMAIL PROTECTED] wrote: Disclaimer: I've read the docs, talked to several folks, and played around with the scripts, but I must be missing something. I'd like to get the tmon.out file output from the -d:DProf flag when my CGI scripts execute remotely on the web server that I'm developing on, but whenever I add the '-d:DProf' flag in the shebang line, I get a 500 Internal Server Error. I've also tried setting the 'PERL_DPROF_OUT_FILE_NAME' environment variable in a BEGIN block. Any thoughts? Thanks in advance, Jason I just tested a command line script by putting -d:Dprof in the shebang line and didn't have any problem. Of course, I'm using ActiveState here and that might make a difference. Perhaps you could tell us what's in your error log? You could create a new file extension and associate that with the -d:Dprof flag. Then, run the script (with the new extension) and manually grab the tmon.out file. You could even write another perl script that runs continually in the background and detects the creation of the tmon.out file, grabs it, and writes it to a new directory with some sort of identifier embedded in the filename. Cheers, Curtis Poe = Senior Programmer Onsite! Technology (http://www.onsitetech.com/) Ovid on http://www.perlmonks.org/ __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to profile CGI scripts?
I just tested a command line script by putting -d:Dprof in the shebang line and didn't have any problem. Of course, I'm using ActiveState here and that might make a difference. Perhaps you could tell us what's in your error log? Yea ... that's another problem - I don't have access to the error log - talk about your pure black box development. ;) The server I use is hosted by ValueWeb and it's a Linux box (I also believe it's an Apache server). The server I'm developing on is also Apache, but Win2K and ActiveState. The -d:DProf flag works fine on my box, though it's not using my $ENV{PERL_DPROF_OUT_FILE_NAME} definition. You could create a new file extension and associate that with the -d:Dprof flag. Then, run the script (with the new extension) and manually grab the tmon.out file. You could even write another perl script that runs continually in the background and detects the creation of the tmon.out file, grabs it, and writes it to a new directory with some sort of identifier embedded in the filename. Not following you here. The presence of -d:DProf seems to result in a 500 error for any script on the host I'm using, even a simple Hello World script. Jason -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Configuring cgi scripts on Windows2000
On Thursday 05 July 2001 08:58, Curtis Poe wrote: --- Greg Jetter [EMAIL PROTECTED] wrote: Well you found one here , I've worked with it since the first version , in fact I work with it daily , it's how I earn my daily bread. You can not separate it's shortcommings from the question posed about UID . I see you offered no advice to the poster other than to rake me over the coals for daring to sugest that the problem lies with the selected OS not the Perl scripts. I was not trying to force my opion on any one , and I was trying to help out the guy , Though I only been posting here for a few times I got the impression that this form was not owned and operated for the bennifit of the Windows community or the Linux/Unix community . I would just as easly pointed out a fault in Unix/linux if there existed one relevent to the question at hand. My stance on O/S's is use which ever one does the job your trying to accomplish. Same with Scripting langauages or hardware. Just what is your problem bud ? Instead of attacking me why don't you sugest how this problem might be resolved ? do you realy know any thing other than how to start a flame war ? Greg 20 year computer programer Perl novice and advancing . Please reread Steve's response carefully. He did not flame. He was merely saying that, in his opinion, discussions of the merits of a particular OS were off-topic. As for discussions of this tone, I've been on the 'Net for quite a few years and have *never* seen anything productive come out of this. I've seen bad tempers, hurt feelings, and general unpleasantness, but never anything productive. Please, everyone stay cool and let's drop this. Cheers, Curtis Poe = Senior Programmer Onsite! Technology (http://www.onsitetech.com/) Ovid on http://www.perlmonks.org/ Thanks for your cool head , I get carried away sometimes. I will stop replying to this thread and hope it dies.. Greg
Re: Configuring cgi scripts on Windows2000
On Wednesday 04 July 2001 20:36, Steve Howard wrote: I would think this is hardly a place for this type of editorial comment on OS. Without even trying to answer this question, I will say that Windows does provide a good environment for development. I have found few people who have tried more than superficially to understand the cause of problems with Windows, but I have worked with it long enough that I find that Windows crap is seldom the real answer. However, a discussion of OS's would be about like a political discussion, and I think is certainly out of place here. I'd much rather stay to the programming issues. Steve H. Well you found one here , I've worked with it since the first version , in fact I work with it daily , it's how I earn my daily bread. You can not separate it's shortcommings from the question posed about UID . I see you offered no advice to the poster other than to rake me over the coals for daring to sugest that the problem lies with the selected OS not the Perl scripts. I was not trying to force my opion on any one , and I was trying to help out the guy , Though I only been posting here for a few times I got the impression that this form was not owned and operated for the bennifit of the Windows community or the Linux/Unix community . I would just as easly pointed out a fault in Unix/linux if there existed one relevent to the question at hand. My stance on O/S's is use which ever one does the job your trying to accomplish. Same with Scripting langauages or hardware. Just what is your problem bud ? Instead of attacking me why don't you sugest how this problem might be resolved ? do you realy know any thing other than how to start a flame war ? Greg 20 year computer programer Perl novice and advancing . -Original Message- From: RL Autry [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 04, 2001 8:36 PM To: Greg Jetter; [EMAIL PROTECTED] Subject: Re: Configuring cgi scripts on Windows2000 At 08:26 PM 7/4/2001, Greg Jetter wrote: Your best bet is to stay with a Unix based provider. There is a reason why developers choose to develope on Linux/Unix and not Windows crap . This is one of them.. Greg Will do on the copyright suggestion. I wanted to make them all available to the public anyway. I *really* like the OpenSource idea. Yeah I am beginning to understand about the operating systems *believe me* Thanks, RL
Re: Configuring cgi scripts on Windows2000
On Thu, 5 Jul 2001, Greg Jetter wrote: My stance on O/S's is use which ever one does the job your trying to accomplish. Same with Scripting langauages or hardware. Just what is your problem bud ? Instead of attacking me why don't you sugest how this problem might be resolved ? do you realy know any thing other than how to start a flame war ? Regardless, some people may not have a choice as to what OS they have to develop on. Answering a question about a programming question with Switch to such-and-such-OS because the one you are using is crap is almost as bad as saying RTFM. -- Brett http://www.chapelperilous.net/btfwk/ Q: What is the sound of one cat napping? A: Mu.
Re: Configuring cgi scripts on Windows2000
--- Greg Jetter [EMAIL PROTECTED] wrote: Well you found one here , I've worked with it since the first version , in fact I work with it daily , it's how I earn my daily bread. You can not separate it's shortcommings from the question posed about UID . I see you offered no advice to the poster other than to rake me over the coals for daring to sugest that the problem lies with the selected OS not the Perl scripts. I was not trying to force my opion on any one , and I was trying to help out the guy , Though I only been posting here for a few times I got the impression that this form was not owned and operated for the bennifit of the Windows community or the Linux/Unix community . I would just as easly pointed out a fault in Unix/linux if there existed one relevent to the question at hand. My stance on O/S's is use which ever one does the job your trying to accomplish. Same with Scripting langauages or hardware. Just what is your problem bud ? Instead of attacking me why don't you sugest how this problem might be resolved ? do you realy know any thing other than how to start a flame war ? Greg 20 year computer programer Perl novice and advancing . Please reread Steve's response carefully. He did not flame. He was merely saying that, in his opinion, discussions of the merits of a particular OS were off-topic. As for discussions of this tone, I've been on the 'Net for quite a few years and have *never* seen anything productive come out of this. I've seen bad tempers, hurt feelings, and general unpleasantness, but never anything productive. Please, everyone stay cool and let's drop this. Cheers, Curtis Poe = Senior Programmer Onsite! Technology (http://www.onsitetech.com/) Ovid on http://www.perlmonks.org/ __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/