CGI Security Issues

Written by Richard Lowe

When you are creating or using CGI routines, you must be careful to keep good coding techniques, security and just plain common sense in mind. Sometimes you can do things that cause serious unexpected site effects. In fact, sometimes you may think you are making your CGI routine secure only to find out it just doesn't work like you expected.

A good example of a this phenomenon is a simple CGI routine called FormMail. This was written a number of years ago by a fellow named Matt Wright to allow data to be entered in a form, then emailed to a recipient.

I first looked at FormMail because I wanted to cut down on spam. You see, my web site had my email address embedded on every single page. I thought this was a good idea to allow people to send me an email message when they wanted to contact me. In fact, all ofrepparttar web design books indicate that all good web sites include an email link of this kind.

I soon discovered, much to my horror, that spammers use special programs called Spam Harvesters to scan websites for email addresses. They add these addresses to their mailing lists and resell them over and over. The result is a large increase inrepparttar 107133 amount of spam that I received.

After much research, I came torepparttar 107134 conclusion thatrepparttar 107135 best defense against spam robots was to simply stop including my email address on my web sites. This leftrepparttar 107136 question of how to allow users to contact me when they had questions or comments.

The answer is simple - use a form. The advantage is thatrepparttar 107137 email address is hidden withinrepparttar 107138 CGI routine or a text file and it is simply not possible for a spam harvester to pick it up. As long asrepparttar 107139 email address is coded intorepparttar 107140 CGI routine or in a database you are relatively secure.

However, many people use FormMail in a different way. Let's say you want to allow your visitors to "tell a friend" about your site. So you include a form which allows visitors to enter their message and a target email address. If you are not very careful you could find that you have set yourself up as a spam relay.

You see, spammers are always looking for ways to hide their identity. One common method is to searchrepparttar 107141 internet for occurrences of FormMail. Sometimes I wonder if spammers rub their hands together in glee when they find sites which use FormMail with user-entered email addresses.

CGI: What the Heck Is That?

Written by Richard Lowe

Let's unlock a little bit ofrepparttar mystery about something called CGI. If it helps any, CGI means Common Gateway Interface. This is a method which is used to exchange data betweenrepparttar 107132 server (the hardware and software that actually allows you to get to your web site) and a web client (your browser). CGI is actually a set of standards where a program or script (a series of commands) can send data back torepparttar 107133 web server where it can be processed.

Typically, you use standard HTML tags to get data from a person, then pass that data to a CGI routine. The CGI routine then performs some action withrepparttar 107134 data.

Some ofrepparttar 107135 more common uses of CGI include:

- Guestbooks - The CGI routine is responsible for acceptingrepparttar 107136 data, ensuring it is valid, sending an email acknowledgement back torepparttar 107137 writer, perhaps sending an email torepparttar 107138 webmaster, and creatingrepparttar 107139 guestbook entry itself.

- Email Forms - A simple CGI forms routine just formatsrepparttar 107140 data into an email and sends it back torepparttar 107141 webmaster. More complicated routines can maintain a database, send an acknowledgement and validate data.

- Mailing List Maintenance - These routines allow visitors to subscribe and unsubscribe from a mailing list. In this case,repparttar 107142 CGI routine maintains a database of email addresses, andrepparttar 107143 better ones send acknowledgements back torepparttar 107144 visitor and webmaster.

A CGI routine can be anything which understandsrepparttar 107145 CGI standard. A popular CGI language is called PERL, which is simple to understand and use (well, compared to other languages). PERL is a scripting language, which means each time a PERL routine is executedrepparttar 107146 web server must examinerepparttar 107147 PERL commands to determine what to do. In contrast, a compiled language such as C++ or Visual Basic can be directly executed, which is faster and more efficient.

Okay, in a nutshell (and greatly simplified), here's how it works:

1) You (the webmaster) specify a form tag which includesrepparttar 107148 name ofrepparttar 107149 CGI routine.

2) You create HTML tags which retrieves data from your visitors.

Cont'd on page 2 ==> © 2005
Terms of Use