Your CGI script receives form fields as name-value pairs without any information as to what type of visual form element generated the values Your CGI script must know the names of the input variables whose values it is going to validate. Having the names supplied to the script based on untrusted user input is risky IMHO—that includes using another field whose value is the name of the radio group Say, you have a variable called contact_me which can take on values yes and no There is absolutely no reason for your CGI script to care if the value was provided using select name="contact_me"> Please do! Oh no!
Your CGI script receives form fields as name-value pairs without any information as to what type of visual form element generated the values. Your CGI script must know the names of the input variables whose values it is going to validate. Having the names supplied to the script based on untrusted user input is risky IMHO—that includes using another field whose value is the name of the radio group.
Say, you have a variable called contact_me which can take on values "yes" and "no". There is absolutely no reason for your CGI script to care if the value was provided using Please do! Oh no!
Or using or if the user typed her answer into the text field The only thing your CGI script needs to concern itself with is if the value of contact_me is "yes" or "no". It looks like you do not have a firm grasp of CGI. Please see The World Wide Web Security FAQ: CGI (Server) Scripts as a starting point.
Please stop all of your CGI development until you understand the ramifications. I retract this remark in light of your comments clarifying the use of a config file to define parameter names (which, in principle, is orders of magnitude safer).
Okay thank you! So it is not possible to see types. Would an alternative be to have a default radio with the same name to something that would trigger a failure, when I use the config file as a basis and make it default to a generic?
Or do the hidden field way? – Tyug Mar 9 '10 at 19:51 @Tyug: First, there are no types. You are confusing a user interface element with a type.
Second, I have no idea what you mean with the sentence Would an alternative be to have a default radio with the same name to something that would trigger a failure, when I use the config file as a basis and make it default to a generic? Finally, don't trust information submitted to your CGI script to determine how the CGI script should validate inputs. Maybe you should explain why you cannot use a known name for the radio group.
– Sinan Ünür Mar 9 '10 at 20:08 Oh.. my bad for not being clear. I understand that there are no types. The second part is my thought of an alternative, which is to append another radio if there are none that is defaulted to.
Thus guaranteeing that there will be a value in the radio group. The reason why I cannot know the name of the radio group is because they change depending on the config file chosen. Sometimes they might not even be there, and sometimes there may be more because due to the dynamic form.
I also do not know which config they will use. – Tyug Mar 9 '10 at 22:58 @Tyug I think it is time for you to formulate a coherent question collecting all these tidbits into something that fits together. What config file?
Who are they? Think about these and write up a new question. You seem to have an X-Y problem: catb.Org/~esr/faqs/smart-questions.
Html#explicit – Sinan Ünür Mar 9 '10 at 23:25 Nope, I understood where I went wrong, and a better, more safe, way of avoiding the problem. Thanks to your security link.It was a helpful read. – Tyug Mar 9 '107 at 14:09.
Pass another hidden input field containing the name of the radiogroup, then just read @values = $cgi->param($cgi->param("radiogroup_name")); // IIRC.
– Tyug Mar 9 '10 at 19:45 1 @Tyug Whether a field is hidden is a user interface choice. I am afraid you do not know enough to know what you don't know when it comes to CGI programming. What happens in your script when someone types example.com/shoot-myself-in-the-foot.pl?...?
– Sinan Ünür Mar 9 '10 at 20:09 1 @Tyug I guess you have not heard of wget or curl or even Web Developer plugin for Firefox? You know what: Feel free to do whatever you want. But I have to point out that there is no good reason the server side script should not know the names of the inputs.
– Sinan Ünür Mar 9 '10 at 22:48 1 @Tyug => POST doesn't protect you, its just marginally harder to spoof – Eric Strom Mar 9 '10 at 22:48.
I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.