SPUG: SDBM & CGI request for information and pointers

Yitzchak Scott-Thoennes sthoenna at efn.org
Wed Oct 6 11:44:12 CDT 2004 

On Wed, Oct 06, 2004 at 01:05:07AM -0700, "Michael R. Wolf" <MichaelRWolf at att.net> wrote:
> I got this question from a friend of mine, wondering where he could post 
> such a question.  I don't know the answers.  Do you?

How about http://perlmonks.org/?node=Seekers%20of%20Perl%20Wisdom

> 1 - Where can I learn more about the Perl "sdbm" database - the one
> that ties hashes to a file? I've discovered that it's easily
> corruptable by assigning a large (e.g., 1000-byte) value to a
> key. But I have no idea why, or what conditions create that
> limit. I've tried trying to find out what the limit is empirically,
> but it seems to depend on parameters I don't know about, because
> what works one time may not work the next. Is there real
> documentation for this?  What I find on my system is very
> scant. (FYI: I'm required to "use POSIX" and "use SDBM_File" to use
> this feature.) Is there a Perl forum or discussion group that covers
> this (for people at my modest level of expertise)?

perldoc SDBM_File says:
       There are a number of limits on the size of the data that you can store
       in the SDBM file.  The most important is that the length of a key, plus
       the length of its associated value, may not exceed 1008 bytes.

I believe it can be tweaked to have a different limit when you build it
(at the expense of incompatibility with old data files).

perldoc AnyDBM_File has a comparison of the different *DB*_File packages:

                                odbm    ndbm    sdbm    gdbm    bsd-db
                                ----    ----    ----    ----    ------
        Linkage comes w/ perl   yes     yes     yes     yes     yes
        Src comes w/ perl       no      no      yes     no      no
        Comes w/ many unix os   yes     yes[0]  no      no      no
        Builds ok on !unix      ?       ?       yes     yes     ?
        Code Size               ?       ?       small   big     big
        Database Size           ?       ?       small   big?    ok[1]
        Speed                   ?       ?       slow    ok      fast
        FTPable                 no      no      yes     yes     yes
        Easy to build          N/A     N/A      yes     yes     ok[2]
        Size limits             1k      4k      1k[3]   none    none

> 2. In order to get any kind of error return at all for the above problem I 
> have
> to have this active:
> 
>    use CGI::Carp 'fatalsToBrowser'; #During testing only

> But I'm told this is a security problem (I don't know why). Is there
> any way to issue this "use", then rescind it when I'm past where the
> problem might be?

Without that, the errors will go the the webserver's error logs.  You
should be able to see them there.  Using fatalsToBrowser is just a
convenience to use while developing.  The security issue is that if
something goes wrong and fatalsToBrowser shows an error to your users,
the error message may give black hats enough info for an exploit of
some kind.

If you are only assigning to your hash in a few places, wrap the
assignments in eval { } and detect errors afterward by testing
$@ && $@=~/sdbm store/;

More information about the spug-list mailing list