Processing Web Forms Carefully

Randal Schwartz

Sunday, September 15th, 2002

Share This:

CGI applications are often used to search through some database. For example, a catalog might let you look for an item by color, or an on-line dating service might let you pick people by gender, location, age, and interests.

When the CGI application is in Perl, the database query is frequently performed using the DBI interface. This amazing product, the result of man-years of effort (coordinated by Tim Bunce), allows a Perl program to interact nearly identically with over a few dozen types of databases, including both commercial and open-source databases, and even “non-database” databases like a comma-separated-values (CSV) file. With DBI, the interaction between script and database is primarily in the form of a series of industry-standard SQL statements. And while common, I frequently see the transition from a CGI form element to a SQL query statement as a security risk.

For example, let’s say that the form field firstname accepts an SQL LIKE pattern (e.g., “Tom%”) for the first name of a person I’m searching for in my department. The Perl code to construct an SQL query using firstname as a parameter might look something like Figure One.

Figure One: Typical Perl code to construct an SQL query my $department = 123; # determined by some login process my $firstname = param(’firstname’); # from the field my $sql = “SELECT id FROM… Please log in to view this content. Not Yet a Member? Register with LinuxMagazine.com and get free access to the entire archive, including: Hands-on Content White Papers Community Features And more. Already a Member? Log in! Username Password Remember me Forgotten your password? Forgotten your username? Read More Helpful Tools for Software Developers The Github Hall of Fame Book'em, Github. This Week on Github: Stupid Ruby Tricks A Veritable Scatter Shot!

Follow Linux Magazine Facebook Twitter Daily Email RSS Stories Keywords Papers Video Recent Recommendations [?] Will The Linux Desktop Soon Be Irrelevant? IE8 vs. Firefox: Four Things Firefox Could Learn from IE Vimperator: Use Firefox the Vim Way GP-GPUs: OpenCL Is Ready For The Heavy Lifting Commercial Gaming, Coming Soon to Linux? 2.6.33 is Out! Say Good Bye to the Anticipatory Scheduler Titanium 1.0: The "App for Building Apps"? The Story of Samba Custom Controls for the iPhone POSIX IO Must Die! Search Terms kerberos bash integrating ldap and kerberos embedded linux security nagios heartbeat udev bandwidth aggregation chatbot bot Tags [?] virtualization linux Android hpc ubuntu wizard boot camp cluster iphone perl ldap View all tags Combining Flexibility with Control: Managing the "Complexity Hell" of Customized Linux Platforms from rPath More » Interview: Intel's Richard Dracott (Part One) Doug Eadline talks with Intel's Richard Dracott, General Manager of the High Performance Computing Organization. IBM Blue Gene is the World's Fastest Supercomputer Doug Eadline visits the IBM booth at SC'07 to get a look at IBM's Blue Gene. Linux Magazine on Facebook Rackspace LinuxMagazine.com is hosted by Rackspace.