>Bruce, > >During my lunch break I created a temporary fix. By converting the >command if for until, I was able to modify the way that perl checked >the username and password (I learned for the first time last night >that perl always assumes a statement is true under the if statement). >But, I wanted to install an additional bit of security that I >discovered I could not implement. When I tried to print all of the >$ENV variables I got: Well, as I am not a pro for CGI, but I'm also not a newbie. Here are a couple suggestions and reasons. 1: Un*x servers have much more variables that are used in the %ENV hash. For example.. below is the list of %ENV variables when used under MacPerl & MacHTTP 2: http://www.teleport.com/cgi-bin/cgiwrap/tjudd/ShowEnv.cgi That's a Un*x server that will show all %ENV variables.. even the ones that are passed like ShowEnv.cgi?key1=value1;key2=value2 3: To my knowledge, HTTP_REFERRER is one of those unix %ENV things. I'd like to see the code you used for the generation of the script. The script you have doesn't have "HTTP_HOST" - which is the IP or the hostname of the server it's running on. >GATEWAY_INTERFACE = CGI/1.1 >HTTP_ACCEPT = image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, >image/png, */* >HTTP_ACCEPT_CHARSET = iso-8859-1,*,utf-8 >HTTP_ACCEPT_ENCODING = gzip >HTTP_ACCEPT_LANGUAGE = en >HTTP_CONNECTION = Keep-Alive >HTTP_HOST = >HTTP_PRAGMA = no-cache >HTTP_USER_AGENT = Mozilla/4.6 (Macintosh; I; PPC) >MACPERL = MacPerl Ä: >PERL5LIB = >REMOTE_ADDR = >REQUEST_METHOD = GET >SCRIPT_NAME = /cgi-bin/first.cgi >SERVER_NAME = >SERVER_PORT = 80 >SERVER_PROTOCOL = HTTP/1.0 >SERVER_SOFTWARE = MacHTTP/2.0 >TMPDIR = >USER = Admin > >If you look carefully, you'll notice that I missing the HTTP_REFERER >variable. Why am missing this variable? Is there module that I need >to be running in order to get it? > >Thanks, >Tomer Just my 2 cents worth. Thanks. --Tim >>I _always_ include in my CGIs some way to handle a web request directly >>addressing the CGI. Visitors can always read your HTML source to find the >>name and path of a <FORM ...> action CGI script, so I assume that someone >>will do so. My scripts parse the action right at the start between how it >>executes when addressed the way it's intended and how it executes otherwise. >> >>Finally, you could just set it up so that directly addressing the CGI is >>the way you choose to have it execute normally, including the security >>steps. If a visitor can't pass the security steps, then the script rejects >>them and exits. I don't always like to present links directly to CGIs, but >>sometimes this is the best way to work it. > > >==== Want to unsubscribe from this list? >==== Send mail with body "unsubscribe" to macperl-webcgi-request@macperl.org ==== Want to unsubscribe from this list? ==== Send mail with body "unsubscribe" to macperl-webcgi-request@macperl.org