
This is the Title of the Book, eMatter Edition
Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.
Web Applications
|
337
use CGI qw(:standard);
my $string = param("string");
echo header;
echo "<b>string</b> = <I>$string</I>\n";
A Perl CGI script normally contains a mixture of HTML print statements and Perl
processing statements.
Web Applications
The Web Application Security Consortium has classified web threats and tried to
standardize their descriptions (http://www.webappsec.org/threat.html). The Open Web
Application Secuity Project (OWASP) describes the top 10 vulnerabilities (http://www.
owasp.org/documentation/topten.html) and how to secure web applications (http://
www.owasp.org/documentation/guide/guide_about.html). All are well worth reading.
Processing Forms
The top risk in the OWASP list is currently unvalidated input. This is most evident in
the workhorse of web applications, form processing.
In the previous section, I showed how to get and echo the value of the form element
named string. I’ll now show how to circumvent this simple code, and how to protect
against the circumvention.
Client-side form checking with JavaScript is a convenience for the user, and it avoids
a round-trip to the server to load a new page with error messages. However, it does
not protect you from a handcrafted form submission with bad data. Here’s a simple
form that lets the web user enter a text string: ...