Phoenix.pm: New meeting place

David Sinck sinck at ip100.starwarz.org
Thu Sep 2 18:29:43 CDT 1999



\_ I'm very interested in this thread.  However, I don't have
\_ the time to become 'one' with the manual, David. ;-)
\_ 
\_ What exactly is the 'major security risk'?  Can someone
\_ explain it in basic terms?

Depends, among other things, if you like having your variables
clobbered.  

Suppose you have a variable 

$a = 1;

and it actually does something important.  Now, further suppose you go
put the CGI params in your namespace.  $a could be clobbered.  But,
you say, "I don't use 'a' as a CGI variable."  And that may in fact be
true.  But that doesn't support someone else from hacking your HTML
and *adding* the variable to the list.  So, kiss $a good bye.  Now, if
you have something that actually gets eval'd or something like
that...presto! arbitrary code running on your server.  Everyone who's
now nervous, please stand up.

There are probably other issues, but that's a good one to get your
attention.  :-)

\_ Also, does the same risk hold true for the way my company is
\_ currently doing it (with the foreach routine below)?
Quick analysis: I think it does.

David



More information about the Phoenix-pm mailing list