Chapter 3 Lab
Linking a CGI Script to a Database with Robust Error-Checking
This CGI script:
- Reads the name of a database from an
- Connects to the database specified by the form
- Displays the contents of the title table in the browser
Tasks to Do for this Lab
- Modify the form so that its ACTION attribute calls your edited CGI script.
- Modify the CGI script:
- If the user entered no database name into the form,
set it to the default value test_nile.
- Check the return value of the eval for a valid database name
and a properly-installed DBD driver.
- Defend your script from database connection failures:
Verify that the $dbh variable is defined after the eval returns.
Extra for Experts
CGI programs on Web servers raise some security concerns:
A Perl feature addresses these concerns -- tainting:
- CGI programs are entry points into your system.
- Crackers may try to exploit them.
- A cracker will feed your CGI program unexpected input
to cause it to perform an unexpected function.
To be secure, data must be untainted:
- Details are in the
- Data from outside the perl script is considered "tainted."
- Tainted data can be tracked and prevented from influencing
things like files and commands.
- Perl terminates itself if such an attempt is made.
- In Perl, data is stored in variables.
- Variables containing data from outside the script are
- To untaint a variable, match it with a regular expression pattern.
- Be certain it contains only characters that are "legal".
- Example: untaint a variable containing a phone number:
# Allow 0-9, white space, (), +, and -
$phone =~ /( [\d\s()+-]+ )/x;
$untainted = $1;
Untaint the db_name form variable:
- Continue to edit the script.
- Add the -T flag to the #! line.
- Match the $dbname variable with a regular expression.
- Here's the form from which to call your script.
- If you're stuck, here's the
Dan Keller Technical Services © 2000