perl-asp mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Skylos the Doggie <sky...@doglover.com>
Subject The Freakiest thing...
Date Fri, 09 Jan 2004 20:52:17 GMT
Okay, I've gotta bounce this off some other programmers who work with
Apache::ASP.

This has been reported twice.

Procedure:

User loads signup form

Result:

User sees somebody else's credit card data - VERY VERY VERY BAD

Attempts by programmer to recreate:

Fruitless.

Thoughts:

I store the form data in a variable.  This is a my scoped variable in the
root file scope.

I then utilize this $frm variable in a subroutine that I call, without
passing the value.  Utilizing it as a global variable, for the file, at
least.

The simplest case for example:

---index.asp---
<%@Language=PerlScript%>
<%
my $frm = $Request->Form();

Main(%Results);

sub Main {
  %>various html stuff
  <input type=text name="cc_number" value="<%=$frm->{'cc_number'}%>">
  more html stuff%>
}
%>
---index.asp---

Now what has happened, reportedly twice (probably many more times),
is that the Main() subroutine displays the cc_number that was entered
BY A DIFFERENT SESSION!

The question is.  Is it at all possible that some other session (perhaps
within the same apache process) acquired some other value of $frm through
the persistant-across-page-loads value of $frm within Main?  I think you
programmers can understand what I'm asking, though it seems muddled even
as I try to type it.

As I understood it, a file 'my' scoped variable would NOT be persisted
anywhere, but is considered global within subroutines in the same file.

Maybe I'm wrong.  I know that its ugly what I did there, and I have
revised my code to pass the $frm variable from the file scope to the
subroutine.  Much prettier.

Your thoughts?

Skylos

- skylos@doglover.com
- The best part about the internet is nobody knows you're a dog.
  (Peter Stiener, The New Yorker, July 5, 1993)
- Dogs like... TRUCKS!  (Nissan commercial, 1996)
- PGP key: http://dogpawz.com/skylos/mykey.asc

---------------------------------------------------------------------
To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org
For additional commands, e-mail: asp-help@perl.apache.org


Mime
View raw message