data validation

Hi,

Im new to PERL and I learned enough to write a small CGI program that takes the data passed from my internet payment service and store it in my mysql database. Now I want to work on making it as "unhackable" as possible so I assume I will need to valadate the data. Could someone help me on how to valadate data. My passed variables contain decimal numbers (ie 5.75), integers, and text passed from the payment service when payment is complete.

(also is there a way to determine if the data was passed from THAT website and not from the user or another website)

if the question makes no sense.... lemme know

Thanks in Advance,
Mike
nameismud@aol.com

>>a way to determine if the data was passed from THAT website

@referers = ('foo.bar.com','yourhost.com');
local($check_referer) = 0;
if (!$ENV{'HTTP_REFERER'}) {
&error("No Referer!");#like coming from bookmark
}
if ($ENV{'HTTP_REFERER'}) {
foreach $referer (@referers) {
if ($ENV{'HTTP_REFERER'} =~ m|https?://([^/]*)$referer|i) {
$check_referer = 1;
last;
}
}
}
else {
$check_referer = 1;
}
if ($check_referer != 1) {
&error("Bad Referer!");#coming from somewhere not list in @referers
}

sub error {
$error = $_[0];
print "Content-type: text/htmlnn";
print "$errorn";
}
#############################################
As for your other request, you need to be more specific.

>>My passed variables contain decimal numbers (ie 5.75), integers,
>>and text passed from the payment service when payment is complete
This just to validate your own form field input and it's totally a different case.
To validate if your particular form input is numbers only and accepting decimial..
if ($payment =~ /[0-9,'.'/) {
&some_subroutine;
}
else {
&error("Invalid characters!");
}

Thank you for the quick response...

<BLOCKQUOTE><font size="1" face="Verdana,Arial,Helvetica">quote:</font><HR>
As for your other request, you need to be more specific.[/quote]

Well.. heres an watered down example of what might be passed from my payment service:

| variable name | example |
|-----------------------/
| $amount_spent | 5.25 |
| $payment_type |Check|
|$payment_result | 123 |
------------------------


I don't know what all I need to protect against, but I assume I will have to make sure the $result_of_payment is an integer and is between a ceiling and floor value. And that $amount spent is a positive value less than lets say $9999. And $payment_type needs to be checked for text that could pose security issuses with the perl program, as well as mysql(during the update or insert command??). (Im ASKING all of this - Im guessing this is what I need to guard against. Am I right?? Am I missing something)


[This message has been edited by qweqwe (edited July 02, 2000).]

$amount_spent_limit = '9999';
$default_payment_amount = '20';

if ($amount_spent =~ /[0-9,'.'/) {
&check_limit;
}
else {
&error("Invalid characters!");
}

sub check_limit {
if ($amount_spent < $amount_spent_limit) {
use Number::Format qw(:subs);
$amount_spent = format_price($amount_spent);
}
else {
&error("Your Amount spent "$amount_spent" exceeds the limit "$amount_spent_limit"<br>
Please go back and adjust it");
}

if ($payment_result =~ /./) {
use integer;
$payment_result = $payment_result;
}
if ($payment_result > $amount_spent) {
&error("Your payment amount exceeds your total spending");
}
if ($amount_spent < $default_payment_amount) {
&error("No payment due at this time");
}
if ($payment_result < $default_payment_amount) {
&error("Your minimum payment is $default_payment_amount");
}
############################################
To use Format.pm, you need to download -> http://www.perl.com/CPAN-local/modules/by-module/Number/Number-Format-1.42.tar.gz
integer.pm should come with your Perl as standard.

>>$payment_type needs to be checked for text that could pose
>>security issuses with the perl program,
Why is that?

>>Im guessing this is what I need to guard against
If you are concern about security of Mysql, you should check with Mysql website. If your script has a good validation procedure to check for acceptable data format, there isn't much to concern about. The example above is just a quick example, you need to adjust it accordingly.

Thanks again freebsd,

you answered all of my questions except the part about a variable containing text:

<BLOCKQUOTE><font size="1" face="Verdana,Arial,Helvetica">quote:</font><HR>
>>$payment_type needs to be checked for text that could pose
>>security issuses with the perl program,
Why is that?[/quote]

I thought that someone might find a way to enter text that could do damage. I always see "simplistic examples" something like the following (not exactly but you get the idea):

######## Start Code ##########
print "$variable_passed_from_form";
######### END CODE ###########

if $variable_passed_from_form = 'hello world!' .... all is fine.

but,
if $variable_passed_from_form = 'hello world"; $amount_due = 0;' .... it will zero out the $amount_due variable.
-------

I have tried to get it to do this on my own but I can't make it happen, but I was just wondering if this kind of stuff is really a problem I have to deal with.

Thanks,
Mike



[This message has been edited by qweqwe (edited July 02, 2000).]

>>my questions except the part about a variable containing text

You would need a parse_form subroutine like this..
############################################
sub parse_form {
read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
@pairs = split(/&/, $buffer);
foreach $pair (@pairs) {
($name, $value) = split(/=/, $pair);
$value =~ tr/+/ /;
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$value =~ s/<!--(.|n)*-->//g;
$value =~ s/<([^>]|n)*>//g;
$FORM{$name} = $value;
}
}
#############################################
Then a form_validation example:

sub get_variable {

#Username
$username_length = length $FORM{'username'};
if (($username_length < 4) | | ($username_length > 12)) {
&error("Username "$username" needs to have 4 to 12 characters");
}
if ($FORM{'username'} =~ /[A-Z]/) {
&error("Lowercase only");
}
elsif ($FORM{'username'} =~ /[."-+<>&~!@$%^*()=|?]/) {
&error("Username field takes numbers and lowercase letter and _");
}
elsif ($FORM{'username'} =~ / /) {
&error("Username has space");
}
elsif ($FORM{'username'} =~ /[a-z,0-9,'_']/) {
$username = "$FORM{'username'}";
}
}
Note this line -> elsif ($FORM{'username'} =~ /["-+<>&~!@$%^*()=|?]/) {

You can add whatever illegal characters to it. If you want to add ', simply add it within [] bracket. As you can see from the line above, ".","+","&","@","$","=","|","?" characters need to be escaped with "".

I hope you get the idea.

Thank you very much for your time freebsd. You have helped me a lot.

Mike