Is there any specific reason why you are writing a simple CGI in c++? If it is for learning, then I can see the point but this can easily be done securely and efficiently in PERL or perhaps PHP(never had a chance to do this). With very few lines of actual code, PERL can sanitize your input. IMHO - I would use PERL because its very easy to parse and strip out strings quickly. Also, maintaining the code will be somewhat of a pain using a compiled language. I dont know a safe alternative using c/c++ other then enforcing your input against an allowed character set. My safe and quick alternative is to use PERL but that might not be an option for you. Of course, whatever you use, you need to validate your input - just a matter of how much time you want to take up. -Rich On Tue, 19 Jun 2001, Aaron Bentley wrote: > I'm writing a CGI program in C++ that sends email. I'm using Sendmail > for the transmission, so I need a command that lets me specify stdin for > Sendmail. > I understand popen() is not very secure, because it uses the shell to > execute the command, but I don't know of a safe alternative. I can > sanitize my input, but is escaping all non-alphanumeric characters the > right answer? > > The program is not privileged, but I don't want people to be able to > gain privileges as 'nobody' on the web server. > > Any suggestions for this ? > > Aaron > > -- > Aaron Bentley > Manager of Information Technology > PanoMetrics, Inc. > > >
This archive was generated by hypermail 2b30 : Tue Jun 19 2001 - 20:32:21 PDT