perl-asp mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Skylos the Doggie <>
Subject The Freakiest thing...
Date Fri, 09 Jan 2004 20:52:17 GMT
Okay, I've gotta bounce this off some other programmers who work with

This has been reported twice.


User loads signup form


User sees somebody else's credit card data - VERY VERY VERY BAD

Attempts by programmer to recreate:



I store the form data in a variable.  This is a my scoped variable in the
root file scope.

I then utilize this $frm variable in a subroutine that I call, without
passing the value.  Utilizing it as a global variable, for the file, at

The simplest case for example:

my $frm = $Request->Form();


sub Main {
  %>various html stuff
  <input type=text name="cc_number" value="<%=$frm->{'cc_number'}%>">
  more html stuff%>

Now what has happened, reportedly twice (probably many more times),
is that the Main() subroutine displays the cc_number that was entered

The question is.  Is it at all possible that some other session (perhaps
within the same apache process) acquired some other value of $frm through
the persistant-across-page-loads value of $frm within Main?  I think you
programmers can understand what I'm asking, though it seems muddled even
as I try to type it.

As I understood it, a file 'my' scoped variable would NOT be persisted
anywhere, but is considered global within subroutines in the same file.

Maybe I'm wrong.  I know that its ugly what I did there, and I have
revised my code to pass the $frm variable from the file scope to the
subroutine.  Much prettier.

Your thoughts?


- The best part about the internet is nobody knows you're a dog.
  (Peter Stiener, The New Yorker, July 5, 1993)
- Dogs like... TRUCKS!  (Nissan commercial, 1996)
- PGP key:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message