CGI Security Concerns
There are many ways to program for the Web such as PHP:
PHP is an HTML embedded scripting language used to create dynamic web pages.
In an HTML document, PHP script is enclosed within special PHP tags.
Because PHP is embedded within tags, the author can jump between HTML and PHP.
To use PHP or any other approaches, developers have to learn how to write the scripts in PHP or another language.
The simplicity and flexibility are the beauty of CGI.
Therefore, we can focus on the database applications instead of learning a new language.
However, the major drawback of CGI is its security flaw.
To avoid potential security attacks, some Unix/Linux metacharacters such as
; : command separator,
> : output redirection,
< : input redirection,
| : pipe,
|
* : matching any string of characters,
? : matching any single character,
>> : output redirection, and
& : running as a background process.
|
are removed from the web input before sending them to the JDBC programs.
For example, the CGI Perl script ListTitles.pl
includes the following commands to remove metacharacters from $name
:
$name = $query->param( 'name' );
$name =~ s/;|>|>>|<|\*|\?|\&|\|//g;
$cmd = "/usr/bin/java ";
system( $cmd . "ListTitles '$name'" );
where the Perl system function is used to run a separate program.
A leopard can’t change his spots.
|