ch08_01.htm

用perl编写CGI的好书。本书从解释CGI和底层HTTP协议如何工作开始

<?label 8. Security?><html><head><title>Security (CGI Programming with Perl)</title><link href="../style/style1.css" type="text/css" rel="stylesheet" />

<meta name="DC.Creator" content="Scott Guelich, Gunther Birznieks and Shishir Gundavaram" /><meta scheme="MIME" content="text/xml" name="DC.Format" /><meta content="en-US" name="DC.Language" /><meta content="O'Reilly & Associates, Inc." name="DC.Publisher" /><meta scheme="ISBN" name="DC.Source" content="1565924193L" /><meta name="DC.Subject.Keyword" content="stuff" /><meta name="DC.Title" content="CGI Programming with Perl" /><meta content="Text.Monograph" name="DC.Type" />

</head><body bgcolor="#ffffff">

<img src="gifs/smbanner.gif" alt="Book Home" usemap="#banner-map" border="0" /><map name="banner-map"><area alt="CGI Programming with Perl" href="index.htm" coords="0,0,466,65" shape="rect" /><area alt="Search this book" href="jobjects/fsearch.htm" coords="467,0,514,18" shape="rect" /></map>

<div class="navbar"><table border="0" width="515"><tr><td width="172" valign="top" align="left"><a href="ch07_04.htm"><img src="../gifs/txtpreva.gif" alt="Previous" border="0" /></a></td><td width="171" valign="top" align="center"><a href="index.htm">CGI Programming with Perl</a></td><td width="172" valign="top" align="right"><a href="ch08_02.htm"><img src="../gifs/txtnexta.gif" alt="Next" border="0" /></a></td></tr></table></div>
<hr align="left" width="515" />



<h1 class="chapter">Chapter 8. Security</h1>
<div class="htmltoc"><h4 class="tochead">Contents:</h4><p>
<a href="ch08_01.htm">The Importance of Web Security</a><br>
<a href="ch08_02.htm">Handling User Input</a><br>
<a href="ch08_03.htm">Encryption</a><br>
<a href="ch08_04.htm">Perl's Taint Mode</a><br>
<a href="ch08_05.htm">Data Storage</a><br>
<a href="ch08_06.htm">Summary</a><br></p></div>



<p>CGI programming <a name="INDEX-1666" />
<a name="INDEX-1667" />offers you
something amazing: as soon as your script is online, it is
immediately available to the entire world. Anyone from almost
anywhere can run the application you created on your web server. This
may make you excited, but it should also make you scared. Not
everyone using the Internet has honest intentions. Crackers<a href="#FOOTNOTE-12">[12]</a> may attempt to vandalize your web pages in
order to show off to friends. Competitors or investors may try to
access internal information about your organization and its products.</p><blockquote>

<a name="FOOTNOTE-12" /><p>[12]A <em class="emphasis">cracker</em> is someone who attempts to break
into computers, snoop network transmissions, and get into other forms
of online mischief. This is quite different from a
<em class="emphasis">hacker</em>, a clever programmer who can find
creative, simple solutions to problems. Many programmers (most of
whom consider themselves hackers) draw a sharp distinction between
the two terms, even though the mainstream media often does
not.</p>

</blockquote>


<p>Not all security issues involve malevolent users. The worldwide
availability of your CGI script means that someone may run your
script under circumstances you never imagined and certainly never
tested. Your web script should not wipe out files because someone
happened to enter an apostrophe in a form field, but this is
possible, and issues like these also represent security concerns.</p>










<div class="sect1"><a name="ch08-47634" />
<h2 class="sect1">8.1. The Importance of Web Security</h2>


<p>Many CGI developers do not take
<a name="INDEX-1668" /> <a name="INDEX-1,669" />security as seriously as
they should. So before we look at how to make CGI scripts more
secure, let's look at why we should worry about security in the
first place:</p>


<ol><li><p><em class="emphasis">On the Internet, your web site represents your public
image.</em> If your web pages are unavailable or have been
vandalized, that affects others' impressions of your
organization, even if the focus of your organization has nothing to
do with web technology.</p></li><li><p><em class="emphasis">You may have valuable information on your web
server.</em> You may have sensitive or valuable information
available in a restricted area that you may wish to keep unauthorized
people from accessing. For example, you may have content or services
available to paying members, which you would not want non-paying
customers or non-members to access. Even files that are not part of
your web server's document tree and are thus not available
online to anyone (e.g., credit card numbers) could be compromised.</p></li><li><p><em class="emphasis">Someone who has cracked your web server has easier access
to the rest of your network.</em> If you have no valuable
information on your web server, you probably cannot say that about
your entire network. If someone breaks into your web server, it
becomes much easier for them to break into another system on your
network, especially if your web server is inside your
organization's firewall (which, for this reason, is generally a
bad idea).</p></li><li><p><em class="emphasis">You sacrifice potential income when your system is
down.</em> If your organization generates revenue directly from
your web site, you certainly lose income when your system is
unavailable. However, even if you do not fall into this group, you
likely offer marketing literature or contact information online.
Potential customers who are unable to access this information may
look elsewhere when making their decision.</p></li><li><p><em class="emphasis">You waste time and resources fixing problems.</em>
You must perform many tasks when your systems are compromised. First,
you must determine the extent of the damage. Then you probably need
to restore from backups. You must also determine what went wrong. If
a cracker gained access to your web server, then you must determine
how the cracker managed this in order to prevent future break-ins. If
a CGI script damaged files, then you must locate and fix the bug to
prevent future problems.</p></li><li><p><em class="emphasis">You expose yourself to liability.</em> If you develop
CGI scripts for other companies, and one of those CGI scripts is
responsible for a large security problem, then you may understandably
be liable. However, even if it is your company for whom you're
developing CGI scripts, you may be liable to other parties. For
example, if someone cracks your web server, they could use it as a
base to stage attacks on other companies. Likewise, if your company
stores information that others consider sensitive (e.g., your
customers' credit card numbers), you may be liable to them if
that information is leaked.</p></li></ol>
<p>These are only some of the many reasons why web security is so
important. You may be able to come up with other reasons yourself. So
now that you recognize the importance of creating secure CGI scripts,
you may be wondering what makes a CGI script secure. It can be summed
up in one simple maxim: <em class="emphasis">never trust any data coming from
the user.</em> This sounds quite simple, but in practice
it's not. In the remainder of this chapter, we'll explore
how to do this.</p>
</div>




















































<hr align="left" width="515" />
<div class="navbar"><table border="0" width="515"><tr><td width="172" valign="top" align="left"><a href="ch07_04.htm"><img src="../gifs/txtpreva.gif" alt="Previous" border="0" /></a></td><td width="171" valign="top" align="center"><a href="index.htm"><img src="../gifs/txthome.gif" alt="Home" border="0" /></a></td><td width="172" valign="top" align="right"><a href="ch08_02.htm"><img src="../gifs/txtnexta.gif" alt="Next" border="0" /></a></td></tr><tr><td width="172" valign="top" align="left">7.4. Bookmarklets</td><td width="171" valign="top" align="center"><a href="index/index.htm"><img src="../gifs/index.gif" alt="Book Index" border="0" /></a></td><td width="172" valign="top" align="right">8.2. Handling User Input</td></tr></table></div>
<hr align="left" width="515" />

<img src="../gifs/navbar.gif" alt="Library Navigation Links" usemap="#library-map" border="0" />
<p><font size="-1"><a href="copyrght.htm">Copyright &copy; 2001</a> O'Reilly &amp; Associates. All rights reserved.</font></p>

<map name="library-map"><area href="../index.htm" coords="1,1,83,102" shape="rect" /><area href="../lnut/index.htm" coords="81,0,152,95" shape="rect" /><area href="../run/index.htm" coords="172,2,252,105" shape="rect" /><area href="../apache/index.htm" coords="238,2,334,95" shape="rect" /><area href="../sql/index.htm" coords="336,0,412,104" shape="rect" /><area href="../dbi/index.htm" coords="415,0,507,101" shape="rect" /><area href="../cgi/index.htm" coords="511,0,601,99" shape="rect" /></map>

</body></html>