What you must remember when writing CGI
: the client
can give you
anything. Never put the query string
in some sort of "eval
call, because it can be easily exploit
ed to execute evil code.
Treat the query
as if it is a live bomb
. Don't just drop it
into your environment. You must carefully take it apart, & by & (And
remember to always cut the red wire
, and never
the green one).
Once you have taken the query apart, and have put all the names and values
in their individual strings, you must then go to each string and decode
the percent signs (%2A -> hex code 42 -> '*').
Also, in a "comments" system, the comment
can contain nasty little suprises (eg. <img src="http://olsentwins.com/photogallery/images/120_small.jpg">).
These profane comments are the reason that you must disallow many types of tags.
Always beware the evil query.