Linking a CGI Script to a Database with Robust Error-Checking

• Reads the name of a database from an HTML form
• Connects to the database specified by the form
• Displays the contents of the title table in the browser

Tasks to Do for this Lab

• Modify the form so that its ACTION attribute calls your edited CGI script.
• Modify the CGI script:
  • If the user entered no database name into the form, set it to the default value test_nile.
  • Check the return value of the eval for a valid database name and a properly-installed DBD driver.
  • Defend your script from database connection failures: Verify that the $dbh variable is defined after the eval returns.

Solution

• Source code
• A form to call the script

Extra for Experts

• CGI programs are entry points into your system.
• Crackers may try to exploit them.
• A cracker will feed your CGI program unexpected input to cause it to perform an unexpected function.

• Details are in the perlsec man page.
• Data from outside the perl script is considered "tainted."
• Tainted data can be tracked and prevented from influencing things like files and commands.
• Perl terminates itself if such an attempt is made.

• In Perl, data is stored in variables.
• Variables containing data from outside the script are considered tainted.
• To untaint a variable, match it with a regular expression pattern.
• Be certain it contains only characters that are "legal".
• Example: untaint a variable containing a phone number:

  # Allow 0-9, white space, (), +, and -
  $phone =~ /( [\d\s()+-]+ )/x;
  $untainted = $1;
  

Advanced Lab

• Continue to edit the script.
• Add the -T flag to the #! line.
• Match the $dbname variable with a regular expression.
• Here's the form from which to call your script.
• If you're stuck, here's the source code.