Simple security script baffling...

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Hello all.  I'm trying to secure my script using $ENV
and it keeps coming up blank.  It's strange:
The customer actually comes from and I wanted to test this
url for ENV in order to let the person gain access to
create a new account. I decided to just try using my own server instead
but I get nothing in this ENV variable.

Here is the code:

    if ($origin=~ m#^ /#) {
    print "Content-type: text/html\n\n";
    print "<H1>Unauthorized Access</h1><br>";
    print $origin . "\n\n";
print $true;

The $origin variable yields NOTHING at all! Can some pelase explain the
problem here?

How else can I prevent someone from accessing my script without paying


Scot King

Re: Simple security script baffling... wrote:

Quoted text here. Click to load it


There is no problem. The HTTP_REFERER variable is optional - user agents
are not required to provide one. Nor, if one happens to be provided, do
you have any way to verify its accuracy.

The problem would have been if you had developed a false sense of
security from using such an unreliable mechanism.

Quoted text here. Click to load it

When an account is paid for, create a login and password. Configure your
server to use "HTTP basic authorization" (Google for it), and refuse
access to anyone not logged in.


Cocoa programming in Perl:
Hire me! My resume:

Re: Simple security script baffling...


Thanks for your input.  However, the problem is, what your saying to
do, (i.e. let them create a user name password) is exactly what I do
after they come from the paypal website.  They have to sign up for an
account, and that's part of the sign up process. They choose a user
name and password.  I use a htta password protected subdirectory for
all of their info.

I need to only authorize a link from my server to operate the program,
and anyone who tries otherwise gets an error message.

How do I do this, before invoking the program that allows them to
create their account?  Do I have to let them create just a user name
password first?  This is not the procedure I use on my site.My program
prompts them the enter a username password, company info, etc.  It's
this program that needs protecting.

Re: Simple security script baffling... wrote:
Quoted text here. Click to load it

As others have told you: Bad idea!

Quoted text here. Click to load it

PayPal provides tools for automatically creating a username/password
pair (basic authentication) when somebody has made a subscription
payment. I'm using it for just that purpose: access to a script (see ).

Gunnar Hjalmarsson

Re: Simple security script baffling...

Where are these tools on paypal?  I looked all over.  Do I provide
these username.password pairs to paypal?  If not, how else am I
supposed to verify if they are valid on my site?

Re: Simple security script baffling...

I found it!

Re: Simple security script baffling...

Quoted text here. Click to load it

It's a very bad idea to rely on HTTP_REFERER as it is easy to forge, or
maybe disabled at the client end or stripped off by proxy servers.

Quoted text here. Click to load it

Exactly.  It may or may not be set.  And if it is set, you can't guarantee
the contents are valid.

Quoted text here. Click to load it

Setup one of the many authentication methods.  However, none of this is
relevant to Perl (unless you choose to implement your authentication via a
Perl script).

Site Timeline