I'm also new here & also concern about CGI script security.
I have one question:
Is there anyway to prevent people to change the source code & submit the form (detect the URL that the post request coming from?)
[edited by: phranque at 1:46 pm (utc) on May 10, 2008]
$mydomain="example.com";
die unless($ENV{HTTP_REFERER}=~m/http:\/\/(www\.)?$mydomain\//);
However there are other methods to secure a script to prevent hacking, you should do those as well.
Other security methods include:
1) use regex on values from GET, POST etc to remove anything besides the characters you expect. ie so an ID field only contains the numbers 0-9.
2) Sanitize values that become part of MySQL commands, there are functions for this sort of thing.
3) Have the form generated by perl also, and put a timestamp or other unique value in there. The script then checks to see its a valid value, for example that the timestamp is less than say 20 minutes old.
Basically assume people are going to feed bad data into your perl script, either on purpose or to try and hack in. So make it as secure as you can.
P.S. There no need to check values in SQL. Just use placeholders.
