[Tutor] cgi FieldStorage __str__ problem - I think...
Roman Suzi
rnd at onego.ru
Wed Jun 20 09:17:02 EDT 2001
On Wed, 20 Jun 2001, Simon Brunning wrote:
>
> form = cgi.FieldStorage()
> formstrings = {}
> for formfield in form.keys():
> formstrings[formfield] = form[formfield].value
> mailtext = mailtemplate % formstrings
>
> (I tried form.values() first, but the FieldStorage object doesn't seem to
> support it.)
>
> Not pretty, but it works. Much like myself, really.
>
> > Or maybe trying to do this with a single % call is a bit too cute.
>
> Yeah, but it would have been cool, no?
No. It's a security risk. Just ALWAYS check user inputs on
CGI or other places. Strip "../" and other things, depeding
on what you do with your data. Etc.
Even if you are the only user of your CGI, make it a habit to
check input. It's a good habit.
And your mail template is exploitable, I guess, to spam the World,
because you direct user input into it, checking nothing.
Sincerely yours, Roman A.Suzi
--
- Petrozavodsk - Karelia - Russia - mailto:rnd at onego.ru -
More information about the Python-list
mailing list