jack22
06-05-2004, 10:17 PM
(this is more general Q than html or perl, so I posted it here)
I recently added a feedback form on my site. I put the perl script for it in the cgi/bin, and it's linked-to via a dozen different pages. It works fine, at least seems to, but since I'm not very hip about this aspect of online things (servers etc... I'm fine with HTML, CSS, etc) I had some basic concerns.
1/ I've read there are exploits to corrupt such files in cgi bins... so I used a script from Perlmongers (it's pretty big... 73K) which is supposed to be secure from such things. Are there simpler scripts that are OK to use... or not? Or is php a better way to go (something I know even LESS about... LOL).Primary question is, what is the worst case thing that could happen here. I'm well aware of the worst case scenarios in the e-mail protocol world. Since I need a password to access my web folders via my ftp program (including the cgi bin), is that enough "protection" or am I being paranoid? I'm most concerned about someone (surreptitiously) re-directing form requests to another e-address, or just dead-ending them or something.
2/ I'm also wondering about the ability of robots to harvest my e-mail addy from the html of the page my form is on. The perl script I used requires this (standard) hidden value in the html:
<input type=hidden name="recipient" value="me@mysite.com">
It's NOT been a BIG problem, but I have gotten spam e-mails to that e-addy (which is ONLY used for that form), and some are even "send-bounce-backs" from spoofs of that e-addy, although I NEVER "send" from it myself. The only way to have gotten a hold of this e-mail addy is from robots scanning servers, etc. Is having the e-mail addy located in that form element a necessity, or are there better ways to format the HTML... encode (hide) it within a few lines of Javascript or something? The perl-script also has that e-mail addy as a value inside the perl script too, but it doesn't work unless it's also in the html as a hidden value (as above).
Thanks, Jack
I recently added a feedback form on my site. I put the perl script for it in the cgi/bin, and it's linked-to via a dozen different pages. It works fine, at least seems to, but since I'm not very hip about this aspect of online things (servers etc... I'm fine with HTML, CSS, etc) I had some basic concerns.
1/ I've read there are exploits to corrupt such files in cgi bins... so I used a script from Perlmongers (it's pretty big... 73K) which is supposed to be secure from such things. Are there simpler scripts that are OK to use... or not? Or is php a better way to go (something I know even LESS about... LOL).Primary question is, what is the worst case thing that could happen here. I'm well aware of the worst case scenarios in the e-mail protocol world. Since I need a password to access my web folders via my ftp program (including the cgi bin), is that enough "protection" or am I being paranoid? I'm most concerned about someone (surreptitiously) re-directing form requests to another e-address, or just dead-ending them or something.
2/ I'm also wondering about the ability of robots to harvest my e-mail addy from the html of the page my form is on. The perl script I used requires this (standard) hidden value in the html:
<input type=hidden name="recipient" value="me@mysite.com">
It's NOT been a BIG problem, but I have gotten spam e-mails to that e-addy (which is ONLY used for that form), and some are even "send-bounce-backs" from spoofs of that e-addy, although I NEVER "send" from it myself. The only way to have gotten a hold of this e-mail addy is from robots scanning servers, etc. Is having the e-mail addy located in that form element a necessity, or are there better ways to format the HTML... encode (hide) it within a few lines of Javascript or something? The perl-script also has that e-mail addy as a value inside the perl script too, but it doesn't work unless it's also in the html as a hidden value (as above).
Thanks, Jack