CGI Security Concerns


There are many ways to program for the Web such as PHP:
PHP (Hypertext Preprocessor) is an open source, server-side, HTML embedded scripting language used to create dynamic web pages. In an HTML document, PHP script is enclosed within special PHP tags. Because PHP is embedded within tags, the author can jump between HTML and PHP (similar to ASP.NET and Cold Fusion).
To use PHP or any other approaches, programmers have to learn how to write the PHP scripts, which are coded in a whole new language.
The simplicity and flexibility are the beauty of CGI. Therefore, we can focus on the database applications instead of learning a new language.
However, the major drawback of CGI is the security flaws. To avoid potential security attacks, some Unix metacharacters such as

  • ;: command separator,
  • >: output redirection,
  • <: input redirection,
  • |: pipe,
  • *: matching any string of characters,
  • ?: matching any single character,
  • >>: output redirection, and
  • &: running as a background process.

are removed from the web input before sending it to the JDBC programs. For example, the CGI Perl script CGIDemo.pl includes the following commands to remove metacharacters from $name:
  $name = $query->param( 'name' ); 
  $name =~ s/;|>|>>|<|\*|\?|\&|\|//g; 
  system ( "./CGIDemo '$name'" ); 
where the Perl system function is used to run a separate program.