CGI-Info
view release on metacpan or search on metacpan
my $info = CGI::Info->new();
my %params;
if($info->params()) {
%params = %{$info->params()};
}
# ...
foreach(keys %params) {
print "$_ => $params{$_}\n";
}
my $u = CGI::Untaint->new(%params);
use CGI::Info;
use CGI::IDS;
# ...
my $info = CGI::Info->new();
my $allowed = {
foo => qr/^\d*$/, # foo must be a number, or empty
bar => undef, # bar can be given and be any value
xyzzy => qr/^[\w\s-]+$/, # must be alphanumeric
# to prevent XSS, and non-empty
# as a sanity check
};
# or
$allowed = {
email => { type => 'string', matches => qr/^[^@]+@[^@]+\.[^@]+$/ }, # String, basic email format check
age => { type => 'integer', min => 0, max => 150 }, # Integer between 0 and 150
bio => { type => 'string', optional => 1 }, # String, optional
ip_address => { type => 'string', matches => qr/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/ }, #Basic IPv4 validation
};
my $paramsref = $info->params(allow => $allowed);
if(defined($paramsref)) {
my $ids = CGI::IDS->new();
$ids->set_scan_keys(scan_keys => 1);
if($ids->detect_attacks(request => $paramsref) > 0) {
die 'horribly';
}
}
If the request is an XML request (i.e. the content type of the POST is text/xml),
CGI::Info will put the request into the params element 'XML', thus:
use CGI::Info;
# ...
my $info = CGI::Info->new();
my $paramsref = $info->params(); # See BUGS below
my $xml = $$paramsref{'XML'};
# ... parse and process the XML request in $xml
Carp if logger is not set and we detect something serious.
Blocks some attacks,
such as SQL and XSS injections,
mustleak and directory traversals,
thus creating a primitive web application firewall (WAF).
Warning - this is an extra layer, not a replacement for your other security layers.
### Validation Subroutine Support
The `allow` parameter accepts subroutine references for dynamic validation,
enabling complex parameter checks beyond static regex patterns.
These callbacks:
- Receive three arguments: the parameter key, value and the `CGI::Info` instance
- Must return a true value to allow the parameter, false to reject
- Can access other parameters through the instance for contextual validation
Basic usage:
CGI::Info->new(
allow => {
# Simple value check
even_number => sub { ($_[1] % 2) == 0 },
# Context-aware validation
child_age => sub {
my ($key, $value, $info) = @_;
$info->param('is_parent') ? $value <= 18 : 0
}
}
);
Advanced features:
# Combine with regex validation
mixed_validation => {
email => qr/@/, # Regex check
promo_code => \&validate_promo_code # Subroutine check
}
# Throw custom exceptions
dangerous_param => sub {
die 'Hacking attempt!' if $_[1] =~ /DROP TABLE/;
return 1;
}
## param($field)
Get a single parameter from the query string.
Takes an optional single string parameter which is the argument to return. If
that parameter is not given param() is a wrapper to params() with no arguments.
use CGI::Info;
# ...
my $info = CGI::Info->new();
my $bar = $info->param('foo');
If the requested parameter isn't in the allowed list, an error message will
be thrown:
use CGI::Info;
my $allowed = {
foo => qr/\d+/
};
my $xyzzy = $info->params(allow => $allowed);
my $bar = $info->param('bar'); # Gives an error message
Returns undef if the requested parameter was not given
- $field
Optional field to be retrieved.
( run in 0.744 second using v1.01-cache-2.11-cpan-75ffa21a3d4 )