SPUG: SDBM & CGI request for information and pointers
Yitzchak Scott-Thoennes
sthoenna at efn.org
Wed Oct 6 11:44:12 CDT 2004
On Wed, Oct 06, 2004 at 01:05:07AM -0700, "Michael R. Wolf" <MichaelRWolf at att.net> wrote:
> I got this question from a friend of mine, wondering where he could post
> such a question. I don't know the answers. Do you?
How about http://perlmonks.org/?node=Seekers%20of%20Perl%20Wisdom
> 1 - Where can I learn more about the Perl "sdbm" database - the one
> that ties hashes to a file? I've discovered that it's easily
> corruptable by assigning a large (e.g., 1000-byte) value to a
> key. But I have no idea why, or what conditions create that
> limit. I've tried trying to find out what the limit is empirically,
> but it seems to depend on parameters I don't know about, because
> what works one time may not work the next. Is there real
> documentation for this? What I find on my system is very
> scant. (FYI: I'm required to "use POSIX" and "use SDBM_File" to use
> this feature.) Is there a Perl forum or discussion group that covers
> this (for people at my modest level of expertise)?
perldoc SDBM_File says:
There are a number of limits on the size of the data that you can store
in the SDBM file. The most important is that the length of a key, plus
the length of its associated value, may not exceed 1008 bytes.
I believe it can be tweaked to have a different limit when you build it
(at the expense of incompatibility with old data files).
perldoc AnyDBM_File has a comparison of the different *DB*_File packages:
odbm ndbm sdbm gdbm bsd-db
---- ---- ---- ---- ------
Linkage comes w/ perl yes yes yes yes yes
Src comes w/ perl no no yes no no
Comes w/ many unix os yes yes[0] no no no
Builds ok on !unix ? ? yes yes ?
Code Size ? ? small big big
Database Size ? ? small big? ok[1]
Speed ? ? slow ok fast
FTPable no no yes yes yes
Easy to build N/A N/A yes yes ok[2]
Size limits 1k 4k 1k[3] none none
> 2. In order to get any kind of error return at all for the above problem I
> have
> to have this active:
>
> use CGI::Carp 'fatalsToBrowser'; #During testing only
> But I'm told this is a security problem (I don't know why). Is there
> any way to issue this "use", then rescind it when I'm past where the
> problem might be?
Without that, the errors will go the the webserver's error logs. You
should be able to see them there. Using fatalsToBrowser is just a
convenience to use while developing. The security issue is that if
something goes wrong and fatalsToBrowser shows an error to your users,
the error message may give black hats enough info for an exploit of
some kind.
If you are only assigning to your hash in a few places, wrap the
assignments in eval { } and detect errors afterward by testing
$@ && $@=~/sdbm store/;
More information about the spug-list
mailing list