What you must remember when writing
CGI: the
client can give you
anything. Never put the
query string in some sort of "
eval"
call, because it can be easily
exploited to execute evil code.
Treat the
query as if it is a live
bomb. Don't just drop it
into your environment. You must carefully take it apart, & by & (And
remember to always cut the
red wire, and
never the green one).
Once you have taken the query apart, and have put all the names and values
in their individual strings, you must then go to each string and decode
the percent signs (%2A -> hex code 42 -> '*').
Also, in a "comments" system, the comment
can contain nasty little suprises (eg. <img src="http://olsentwins.com/photogallery/images/120_small.jpg">).
These profane comments are the reason that you must disallow many types of tags.
Always beware the evil query.