Perl Security Considerations

Keeping Your System Safe

Programmers are often so focused on solving the problem at hand that they don't stop to consider the security implications of the applications they create. This is a particularly common problem in the web development community, where web applications are produced for use by the general public. The first rule of safe web programming is simple: never trust data that comes from an outside source. This includes information submitted via web forms, data read from files or databases that any other program can modify, and values stored in browser cookies.

Always assume the data you're working with could have been modified in some unintended manner. There's nothing stopping a malicious person from changing the length, type, or contents of data submitted to your scripts via HTTP POST or GET methods. Always verify your data; if you're expecting a number, use a regular expression to strip the input of any other characters. If your program is sending an email, verify that the "TO" address is the intended recipient. Never use raw input as part of a file name you're going to read from or write to. Be extremely careful using system and exec calls that you construct on the fly.

This tutorial isn't designed to cover every conceivable threat a public-facing web application could face. For more information on secure programming in Perl, reference these resources:

The last chapter offers some links to resources that will help you continue your Perl programming education.

Continue: Additional Programming Resources

Table of Contents