Most of the problems are on the CGI side.

Read W3's CGI Security FAQ:

[w3.org...]

#1 rule in CGI programming -- check your inputs, and remember you have no control over what you get sent (ie hidden inputs aren't)

Sean

Thanks Sean, that's helpful - I will have a thorough read of that page.

So, I use CGI.pm - can someone point me to a page or give me some advice on security features of this module that I can use? Or, how do I prevent unwanted characters/symbols and file extensions (eg .exe) being entered into my input fields?

M.

You can do this with regular expressions.
[perl.com...]

Thanks 12inch.

Okay, so the security issues lie with CGI. My form consists of Name, Email and Address input text boxes only. Here's what I plan on doing. Do I need to do anything else?

1. Regular expression to exclude the following symbols ; > < & * ` ¦! $

2. T (taint) switch appended to shebang line

3. $CGI::POST_MAX = **** to limit incoming data

4. $CGI::DISABLE_UPLOADS = 1 to disable uploads

Is this enough?

Thanks,
Maynard.

1. Regular expression to exclude the following symbols ; > < & * ` ¦! $

It's best to take the opposite approach, and only allow what you want, rather than excluding what you don't:

$email =~ s/[^\w@\.\+]//g; # only alphanums, @, ., and +
$onelinetextstring =~ s/[^\w \.,]//g; # similar

Works well with taint mode, too, since you have to apply a regexp anyway.

Sean