How do I make sure users can't enter values into a form that cause my CGI script...

	+ The CGI Meta FAQ is gone, so this needs a new
	answer

diff --git a/pod/perlfaq9.pod b/pod/perlfaq9.pod
index da39f3d..ab7157b 100644 (file)
--- a/pod/perlfaq9.pod
+++ b/pod/perlfaq9.pod
@@ -339,9 +339,20 @@ a DBI compatible driver.  C<HTTPD::UserAdmin> supports files used by the
 
 =head2 How do I make sure users can't enter values into a form that cause my CGI script to do bad things?
 
-See the security references listed in the CGI Meta FAQ
+(contributed by brian d foy)
 
-       http://www.perl.org/CGI_MetaFAQ.html
+You can't really prevent people from sending your script bad data, at
+least not with Perl, which works on the server side. If you want to
+prevent data that try to use SQL injection or other sorts of attacks
+(and you should want to), you have to not trust any data that enter
+your program.
+
+The L<perlsec> documentation has general advice about data security.
+If you are using the C<DBI> module, use placeholder to fill in data.
+If you are running external programs with C<system> or C<exec>, use
+the list forms. There are many other precautions that you should take,
+too many to list here, and most of them fall under the category of not
+using any data that you don't intend to use. Trust no one.
 
 =head2 How do I parse a mail header?