GetCgiVar_S

Declaration

Source position: pwumain.pas line 66

function GetCgiVar_S(

const name: String;

const SecureLevel: Integer

):String;

Notes

Similar to the GetCgiVar function, however this function allows you to escape security and get a URL/POST/GET variable as raw text. To escape security send zero (0) as the second parameter called SecureLevel.

The _S suffix stands for "specify security". The underscore, S, and zero was purposely used to jump out and scare anyone reading the code.

You should filter or check the data after calling this function, such as using the FilterHtml function, or your custom one.

Example

Pretend you visit a page:

 http://site.com/cgi-bin/test.cgi?var=<b>hi</b>

Note that somebody has inserted the bold <b> tags into your URL! This could be dangerous, since:

javascript could be inserted
an embedded cross site scripting form/data miner could be inserted
iframes and frames could be inserted, etc.

However, sometimes this raw data is needed, for allowing in punctuation and such and that is why you can escape security when required.

var
  tmp: string;
begin
  tmp:= GetCgiVar_S('var', 0);
  webwrite(tmp); //prints  hi in bold! unfiltered, insecure! raw data
end.

Using your own filtering:

var
  tmp: string;
begin
  tmp:= GetCgiVar_S('var', 0);
  YourFilter(tmp); // this is your security
  webwrite(tmp); 
end.