Hi All,<br /><br />I'm a long-time C coder and really enjoy the power and control that you have over input data and strings in C. I've recently started into the CGI/perl stuff, and since it's a bit new I don't feel completely comfortable with the string parsing, storage, etc that it offers. In particular, I am writing a script with takes Post data and puts it into a customer database of orders. Obviously this needs to be secure.<br /><br />My question is:<br /><br />Is there a way, on the TCH servers, for me to receive the POST data via a CGI script, pass that off to a C program (which I am more comfortable writing secure code for) where I can process, verify and prepare the data, and then either having the C code write the appropriate data to a mySQL database, or having the C program call a CGI program which can do the actual inserting?<br /><br />Thanks for any suggestions!<!--content-->
Hi! Welcome to the group!<br /><br />I'm a member here, but I've done some C stuff in my past. However, I have to say that I find programs easier to crank out in perl than C by far.<br /><br />Personally I'm wondering why you think C code is more secure than perl? Is it the uncompiled/text thing that bothers you?<br /><br />See you around!<!--content-->
>>Personally I'm wondering why you think C code is more secure than perl? Is it the uncompiled/text thing that bothers you?<br /><br />Thanks for the reply.<br /><br />Actually, I am referring to handling potentially invalid requests. For example, if a user is able to locate the "non-advertised" URL for this posting script, and then they start posting invalid data in hopes of exploiting the system and inserting their own orders... I feel that I am able to handle those situations and detect those attempts much better in C.<br /><br />It comes down to the fact that I don't feel that I have enough experience in Perl to fully ensure that I am not allowing some vulnerability in the code for an attacker to exploit (ie, overflows, and anything else that Perl may need checked). In C I can account for most every possibility.<br /><br />And, of course, when a script deals with inserting order information to a database, it is extremely important that these vulnerabilities don't exist.<!--content-->
I run a shopping cart, created in Perl.<br /><br />Yes, there are vulnerabilities, but they are the same, I believe, with many languages. I can understand that you feel more comfortable with C, and catching those issues there would be more comfortable.<br /><br />It might help to know more about what you are doing. This might narrow down the issues that you could encounter.<br /><br />I know that Linux does support a GNU compilier, but I'm not sure if you need root access to get to it.<!--content-->
TCH-Bruce to the rescue! <img src="http://www.totalchoicehosting.com/forums/style_emoticons/default/ohmy.gif" style="vertical-align:middle" emoid="" border="0" alt="ohmy.gif" /> Bruce left!<!--content-->
>>It might help to know more about what you are doing. This might narrow down the issues that you could encounter.<br /><br />My eCommerce provider posts XML data to my web server. For purposes of the example, let's say it provides fields as follows:<br /><br />ORDER table contains fields SECRET, NAME, EMAIL, and ORDERID. Then, we have a DETAIL table which specify each SKU that they ordered, with fields of SKU, DESCRIPTION and QTY.<br /><br />The SECRET field is intended to be used to verify the poster (ie, basically a password).<br /><br />Then, upon receiving and verifying the information, I want to post it to a mySQL database. I am encoding both a username and password into the SECRET field, so that I don't have to locally store the mySQL database password in the script.<!--content-->
Well, I'm just a Mod not staff so I don't have shell access either. But if you open a Help Desk ticket I'm sure they would be able to tell you if they could compile something for you.<br /><br />I use Perl myself.<!--content-->
May I suggest that you look into PHP as an alternative? I'm not a long-time C programmer by any means, but I have done enough to feel that PHP is very similar in syntax and rules. It runs on the servers here, and I'll bet you can do what you want with it.<br /><br />Check it out at <a href="http://www.php.net/manual/en/" target="_blank">the PHP manual page</a><br /><br /> Thumbs Up<!--content-->
I'll second the PHP suggestion. I'm a long time coder too and I felt home with PHP right away.<!--content-->
I've looked at PHP, and it does seem to be quite like C. Does anyone know how to do a regex which allows me to find tags like <ORDER>......</ORDER> but *not* if they include another <ORDER> tag within them?<br /><br />For example, there may be one or more <ORDER>...</ORDER> tags in a string, and the way I have it searching now is:<br /><br />$num_matches = preg_match_all("/<OrderLines>(.*)<\/OrderLines>/",$raw_post,$matches);<br /><br />But, this appears to find the broadest match, and hence returns 1 all the time even if two of these tags exist.<br /><br />I'm guessing I need something in the place of (.*) which will exclude the string "<OrderLines>" in any matching, but I'm not sure how to do that.<br /><br />Any suggestions?<br /><br />Thanks!<!--content-->
Nevermind, figured the above question out.<!--content-->
Glad you could make it <img src="http://www.totalchoicehosting.com/forums/style_emoticons/default/smile.gif" style="vertical-align:middle" emoid="" border="0" alt="smile.gif" /><br /><br />Do keep in mind that PHP supports two types of regular expressions, POSIX Regular Expressions and the more powerfull PERL Compatible Regular Expressions (PCRE) but their syntax is not compatible.<br /><br />By the way, can you tell us how you solved the problem? It might be useful for others who find themselves in the same situation <img src="http://www.totalchoicehosting.com/forums/style_emoticons/default/smile.gif" style="vertical-align:middle" emoid="" border="0" alt="smile.gif" /><!--content-->
Hi! Welcome to the group!<br /><br />I'm a member here, but I've done some C stuff in my past. However, I have to say that I find programs easier to crank out in perl than C by far.<br /><br />Personally I'm wondering why you think C code is more secure than perl? Is it the uncompiled/text thing that bothers you?<br /><br />See you around!<!--content-->
>>Personally I'm wondering why you think C code is more secure than perl? Is it the uncompiled/text thing that bothers you?<br /><br />Thanks for the reply.<br /><br />Actually, I am referring to handling potentially invalid requests. For example, if a user is able to locate the "non-advertised" URL for this posting script, and then they start posting invalid data in hopes of exploiting the system and inserting their own orders... I feel that I am able to handle those situations and detect those attempts much better in C.<br /><br />It comes down to the fact that I don't feel that I have enough experience in Perl to fully ensure that I am not allowing some vulnerability in the code for an attacker to exploit (ie, overflows, and anything else that Perl may need checked). In C I can account for most every possibility.<br /><br />And, of course, when a script deals with inserting order information to a database, it is extremely important that these vulnerabilities don't exist.<!--content-->
I run a shopping cart, created in Perl.<br /><br />Yes, there are vulnerabilities, but they are the same, I believe, with many languages. I can understand that you feel more comfortable with C, and catching those issues there would be more comfortable.<br /><br />It might help to know more about what you are doing. This might narrow down the issues that you could encounter.<br /><br />I know that Linux does support a GNU compilier, but I'm not sure if you need root access to get to it.<!--content-->
TCH-Bruce to the rescue! <img src="http://www.totalchoicehosting.com/forums/style_emoticons/default/ohmy.gif" style="vertical-align:middle" emoid="" border="0" alt="ohmy.gif" /> Bruce left!<!--content-->
>>It might help to know more about what you are doing. This might narrow down the issues that you could encounter.<br /><br />My eCommerce provider posts XML data to my web server. For purposes of the example, let's say it provides fields as follows:<br /><br />ORDER table contains fields SECRET, NAME, EMAIL, and ORDERID. Then, we have a DETAIL table which specify each SKU that they ordered, with fields of SKU, DESCRIPTION and QTY.<br /><br />The SECRET field is intended to be used to verify the poster (ie, basically a password).<br /><br />Then, upon receiving and verifying the information, I want to post it to a mySQL database. I am encoding both a username and password into the SECRET field, so that I don't have to locally store the mySQL database password in the script.<!--content-->
Well, I'm just a Mod not staff so I don't have shell access either. But if you open a Help Desk ticket I'm sure they would be able to tell you if they could compile something for you.<br /><br />I use Perl myself.<!--content-->
May I suggest that you look into PHP as an alternative? I'm not a long-time C programmer by any means, but I have done enough to feel that PHP is very similar in syntax and rules. It runs on the servers here, and I'll bet you can do what you want with it.<br /><br />Check it out at <a href="http://www.php.net/manual/en/" target="_blank">the PHP manual page</a><br /><br /> Thumbs Up<!--content-->
I'll second the PHP suggestion. I'm a long time coder too and I felt home with PHP right away.<!--content-->
I've looked at PHP, and it does seem to be quite like C. Does anyone know how to do a regex which allows me to find tags like <ORDER>......</ORDER> but *not* if they include another <ORDER> tag within them?<br /><br />For example, there may be one or more <ORDER>...</ORDER> tags in a string, and the way I have it searching now is:<br /><br />$num_matches = preg_match_all("/<OrderLines>(.*)<\/OrderLines>/",$raw_post,$matches);<br /><br />But, this appears to find the broadest match, and hence returns 1 all the time even if two of these tags exist.<br /><br />I'm guessing I need something in the place of (.*) which will exclude the string "<OrderLines>" in any matching, but I'm not sure how to do that.<br /><br />Any suggestions?<br /><br />Thanks!<!--content-->
Nevermind, figured the above question out.<!--content-->
Glad you could make it <img src="http://www.totalchoicehosting.com/forums/style_emoticons/default/smile.gif" style="vertical-align:middle" emoid="" border="0" alt="smile.gif" /><br /><br />Do keep in mind that PHP supports two types of regular expressions, POSIX Regular Expressions and the more powerfull PERL Compatible Regular Expressions (PCRE) but their syntax is not compatible.<br /><br />By the way, can you tell us how you solved the problem? It might be useful for others who find themselves in the same situation <img src="http://www.totalchoicehosting.com/forums/style_emoticons/default/smile.gif" style="vertical-align:middle" emoid="" border="0" alt="smile.gif" /><!--content-->