Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Perl files getting accessed directly

Status
Not open for further replies.

Limbomusic

Technical User
Jun 6, 2023
1
0
0
NO
Hello. I just registered. I just wanna tell somebody about a nuisance/problem with my perl script on my webserver which I finally got fixed. For those who really know perl this is gonna be boring probably - but maybe this can help other newbees with same problem.

I have a "feedback page" - u can put in name/webadress/comment in the fields in an html-form page. Which sends the info to a perl script. (which sends that input to another html-page)

Now - if I look at the webserver log file, bots/programs probably sniff out .pl files (?) and accesses them directly - like "
This happened. Not very frequently - but often. So when I went a html-page (on my webserver) with the results of the feedback-page there would be some EMPTY posts.

Now - this was not the end of the world but it still nagged me. Is there a fix? Yes.

This line:

[tt]if(defined $cgi->param('navn')){[/tt]

As long as that line was before the argument - NO NEW ENTRY was created.
('navn' refers to the scalar name)

IF someone (like me - I tested it) DID write the exact location of the .pl file in a browser - one would just get an "Internal server error" - which I wanted - but before I added the line - the script would create an empty post in the html page.

NO EMPTY POSTS have been added since I inlcuded that line in the script !

This is my script:
------------------------
[tt]#!C:\Perl64\site\bin\perl.exe
use strict;
use warnings;
use HTML::Entities;
use CGI;
use Time::piece;

my $cgi = CGI->new();

my $dato = localtime->strftime('%d-%m-%Y');
my $navn = $cgi->param('navn');
my $kommentar = $cgi->param('kommentar');

my $navn = encode_entities($navn, '<>&"');
my $kommentar = encode_entities($kommentar, '<>&"');

open(my $fh, '>>', 'skryt.html');
if(defined $cgi->param('navn')){
print "Content-type:text/html\r\n\r\n";
print $fh "<HR color=#008000 SIZE=2>\n Navn: <b>$navn</b> Kommentar: <b>$kommentar</b> Dato: $dato";
print "<html><head><meta http-equiv = 'refresh' content = '0; url = skryt.html' /></head>";}
else {(die)}
close $fh;[/tt]
------------------------

Probably an "off beat" problem but should be known.

Any security issues?

My webserver:
Old Windows 10 PC
webserver program: hiawatha cgi enabled
website: (in norwegian - sorry) (to view english example script/html form )

Music: Or search for Limbomusic on utube.
Cheers.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top