Helping ordinary people create extraordinary websites!
GET OUR NEWSLETTER
Your Email:
 

Build a Perl/CGI Voting System

By Allan Peda
2005-07-05


Other possible improvements

Other security considerations could and should be taken into account when using this script. Any program that allows an external entity to input data is vulnerable to malicious activity, such as buffer overflows and embedded control characters. Conversely, the use of a dedicated routine to read and write local DBM files has at least one benefit: There is no possibility of SQL injection when there is no SQL back end to access.

In a nod to the need to filter incoming data, I set the variables $CGI::DISABLE_UPLOADS and $CGI::POST_MAX to very strict values. Additionally I recommend the following:

  • String all incoming variables of all unexpected characters and truncate the length to a reasonable limit.
  • A lot of runtime data is kept inside the script. The advantage to this practice is that there are fewer files to distribute and to set permissions for. The disadvantage is that users may not want to edit code, and the code becomes less clear. A possible compromise may be to take advantage of kludges such as the DATA pseudo-file handle to tuck data at the end of a script.
  • File locking is a very tricky issue and race conditions abound. It seemed that for every guideline I found spelling out the correct way to lock files, a subsequent correction was posted. I tried to minimize the time files were open and leverage the locking mechanism provided for the MLDBM module.
  • Perl modules are not put in their own path away from the CGI, so they could theoretically be executed from the cgi-bin directory. It is recommended that these modules not be set as executable.
  • PHP is practically ubiquitous on Linux platforms, so I would consider porting this script in PHP if the need to reimplement it arose. However, I am not sure there is a PHP equivalent to the MLDBM module.
  • The layout of the voting form is considered unfair by some since it presents the first candidate as a default.
  • I did not use perldoc. I should.


Tutorial Pages:
» Using locked DBM files with CGI-driven forms saves client data without DBMS overkill
» CGI considerations: Simplicity vs. complexity
» Functional design considerations
» Details: Hash keys
» Details: E-mail gotchas
» Details: Not-so-secret ballots
» Details: File layout
» Details: Static vs. dynamic DNS
» Details: Is GET harmful?
» Other possible improvements
» Conclusion
» Resources


First published by IBM DeveloperWorks

 | Bookmark
Related Tutorials:
» Random subroutines in Perl
» Log Script Use
» Creating Perl Modules for Web Sites
» Bit Vector, Using Perl Vec
» Perl Range Operator
» Creating Perl Modules for Websites

Advertise with Us!


Tutorials Scripts Web Hosting Developer Manuals
Resources