apache cgi script /dev/stdin

[davebardsley]

I'm writing a number of CGI scripts and applications that use /dev/stdin to pipe their input from an html form using the post method. I'm under the impression that since post uses stdin instead of an environment variable it can handle data streams more efficiently than the get method.

Are there any known buffer over-runs, exploits, or other liabilities that I should be aware of when using this method (not including whatever my scripts and apps are up to of course)? Any advice will be much appreciated.

[Shaun Williamson]

The main difference between the two is that GET can only supply a small
amount of information, sometimes only 256 bytes whereas POST is unlimited
unless you set a limit.
The main thing to keep in mind is that you can't trust any information supplied
by a user. If you ask for an email address, your script must check that it is only
an email address and not an email address followed by a command to email the
servers password file. If you ask for some text then you need to consider what
to do if that text contains html or javascript. Most script language manuals have
a chapter on security - read it carefully. Don't keep any essential information
in hidden fields in your html forms. Hidden fields aren't displayed but they can
be altered.