dcsimg
www.webdeveloper.com
Results 1 to 3 of 3

Thread: Basic FORM Q (cgi/pl)

  1. #1
    Join Date
    Jan 2003
    Location
    CT
    Posts
    9

    Basic FORM Q (cgi/pl)

    (this is more general Q than html or perl, so I posted it here)

    I recently added a feedback form on my site. I put the perl script for it in the cgi/bin, and it's linked-to via a dozen different pages. It works fine, at least seems to, but since I'm not very hip about this aspect of online things (servers etc... I'm fine with HTML, CSS, etc) I had some basic concerns.

    1/ I've read there are exploits to corrupt such files in cgi bins... so I used a script from Perlmongers (it's pretty big... 73K) which is supposed to be secure from such things. Are there simpler scripts that are OK to use... or not? Or is php a better way to go (something I know even LESS about... LOL).Primary question is, what is the worst case thing that could happen here. I'm well aware of the worst case scenarios in the e-mail protocol world. Since I need a password to access my web folders via my ftp program (including the cgi bin), is that enough "protection" or am I being paranoid? I'm most concerned about someone (surreptitiously) re-directing form requests to another e-address, or just dead-ending them or something.

    2/ I'm also wondering about the ability of robots to harvest my e-mail addy from the html of the page my form is on. The perl script I used requires this (standard) hidden value in the html:

    <input type=hidden name="recipient" value="me@mysite.com">

    It's NOT been a BIG problem, but I have gotten spam e-mails to that e-addy (which is ONLY used for that form), and some are even "send-bounce-backs" from spoofs of that e-addy, although I NEVER "send" from it myself. The only way to have gotten a hold of this e-mail addy is from robots scanning servers, etc. Is having the e-mail addy located in that form element a necessity, or are there better ways to format the HTML... encode (hide) it within a few lines of Javascript or something? The perl-script also has that e-mail addy as a value inside the perl script too, but it doesn't work unless it's also in the html as a hidden value (as above).

    Thanks, Jack

  2. #2
    Join Date
    Jul 2003
    Location
    New York City
    Posts
    2,771
    Well, I'm not all that knowledgable about CGI, but you can simply put your email address directly into the CGI script if it's the same one used all the time, and edit the script so it doesn't require that tag. No robot can read it that way. JAVASCRIPT CANNOT HIDE SOURCE CODE!!! In terms of security, it really all comes down to what the script does. If it's simply sending form data to an email address, the worst the script can do is send data to an email address. However, some might hijack your script, such as linking to it from a form on their own website, inserting their email as a hidden input, as you do, and use it that way. But putting your email directly into the script will stop that. If your folder is password protected, then I'd say you are good. Unless you are dealing with sensitive data (like credit cards). If that's the case, then you should be ussing SSL (ie: https://www.yoursite.com) There's only so many security measures that can be put forth within reason.

  3. #3
    Join Date
    Jan 2003
    Location
    CT
    Posts
    9

    RE

    Thanks Bob... I'll look into getting a script that doesn't require that HTML-form tag on the form's page.

    I didn't think I could hide an e-mail addy with JS, but I thought I'd ask. I'm always finding strange obscure ways to do things that surprise me. I didn't know if a JavaScript function might be able to query a remote (hidden) host/file somewhere where a (sorta) "hidden value" (e-mail addy) could be accessed... or if there existed some JS function that used an e-mail addy as variable with a different format structure that robots wouldn't recognize. I understand a little JS... but not all that much.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles