| [Overview][Constants][Procedures and functions] | Reference for unit 'pwumain' (#powtils_main) |
Source position: pwumain.pas line 65
function GetCgiVar( |
const name: String |
):String; |
var
tmp: string;
begin
tmp:= GetCgiVar('var'); // retrives url variable
webwrite(tmp); // web browser says hi
end.
In early versions of Powtils, it deletes malicious characters by default, so that web programmers do not make horrible security mistakes in a live system. In later versions of Powtils (1.6.1), it replaces bad characters with zeros so that these malicious attempts can be seen easier (say you create a file0000withbad000chars.). The zeros make it more obvious in web log files that someone was trying to hack your server, and inserting these placeholder zeros also preserve the length of the string.
However, if you wish to allow special (many times malicious) characters in, you can bypass security by using the GetCgiVar_S function. The _S stands for 'specify security'. This _S and zero param reminds you that you are using a function with zero security (especially jumps out at multiple developers checking each others code). Then, you should filter the data manually yourself since the it is raw and insecure.
var
tmp: string;
begin
tmp:= GetCgiVar_S('var', 0); // specify no security, the _S stands out
webwrite(tmp); //prints BOLD input and is prone to insecure HTML injection
end.
var
tmp: string;
begin
tmp:= GetCgiVar_S('var', 0); // specify no security
tmp:= FilterHtml(tmp); // do filtering
webwrite(tmp); // prints <b>input</b> with html entities, not actual bold text
end.
function JohnsCustomFilter(s: string): string;
begin
//do your custom security filtering here
result:= ...;
end;
var
tmp: string;
begin
tmp:= GetCgiVar_S('var', 0); // specify no security
tmp:= JohnsCustomFilter(tmp); // your own filtering
webwrite(tmp); // print input based on how you filtered it
end.