eXtropia: the open web technology company
Technology | Support | Tutorials | Development | About Us | Users | Contact Us
Resources
 ::   Tutorials
 ::   Presentations
Perl & CGI tutorials
 ::   Intro to Perl/CGI and HTML Forms
 ::   Intro to Windows Perl
 ::   Intro to Perl 5
 ::   Intro to Perl
 ::   Intro to Perl Taint mode
 ::   Sherlock Holmes and the Case of the Broken CGI Script
 ::   Writing COM Components in Perl

Java tutorials
 ::   Intro to Java
 ::   Cross Browser Java

Misc technical tutorials
 ::   Intro to The Web Application Development Environment
 ::   Introduction to XML
 ::   Intro to Web Design
 ::   Intro to Web Security
 ::   Databases for Web Developers
 ::   UNIX for Web Developers
 ::   Intro to Adobe Photoshop
 ::   Web Programming 101
 ::   Introduction to Microsoft DNA

Misc non-technical tutorials
 ::   Misc Technopreneurship Docs
 ::   What is a Webmaster?
 ::   What is the open source business model?
 ::   Technical writing
 ::   Small and mid-sized businesses on the Web

Offsite tutorials
 ::   ISAPI Perl Primer
 ::   Serving up web server basics
 ::   Introduction to Java (Parts 1 and 2) in Slovak

 

introduction to web programming
cgi security  
Okay, so security looms over every webmaster shoulder like...like...like a big scary looming thing.

As we saw in the pre-requisite article "Introduction to Web Programming 101", there is no such thing as a full-proof CGI script or a safe web server.

The minute you give the world access to your inner world is the minute that you introduce security holes. There is no program web-based or not, that does not introduce a security risk.

However, since most webmasters find it essential to expand their services to include CGI, most webmasters are ready to take an intelligent risk with their CGI scripts.

In other words, though you can never be totally safe, you can certainly make yourself as safe as it gets!

In most cases, that means that though a CGI might get hacked, the hacker could not do much damage.

The first rule of CGI security is to use one of the standard safe libraries for reading and parsing form input. These include cgi-lib.pl for Perl 4 and 5 or cgi.pm for Perl 5.

These libraries have been around for years and have been tested millions of ties by users in every imaginable environment. They have gone through many revisions from learned experience and take precautions for all sorts of little buggers that you may not think about if you started writing a form handler yourself.

However, once you have read and parsed form data, you must also pay attention to how that data is used and make sure that you do not create a security hole in the data handling.

There are two primary considerations for writing safe CGI scripts as discussed by Lincoln Stein in his SafeCGI presentation available at http://www-genome.wi.mit.edu/~lstein/. These are checking user input and restricting system calls.

Previous | Next | Table of Contents