CGI/Perl Guide | Learning Center | Forums | Advertise | Login Site Search: in Perl Guide PerlGuru Forums Learning Ctr

	MAIN INDEX	SEARCH POSTS	WHO'S ONLINE	LOG IN

Home: Perl Programming Help: Intermediate: Cannot Call OSQL from Perl/CGI with Taint Check

jaychan New User Aug 28, 2013, 11:16 AM Post #1 of 3 (1673 views) Cannot Call OSQL from Perl/CGI with Taint Check Can't Post I find that I cannot call OSQL from a CGI script that is written in Perl. I have many CGI scripts in Perl. Those Perl scripts use system() function to call OSQL.EXE (that is a command line interface of Microsoft SQL Server). For security reason, I turn ON the taint check mode in Perl. They have been working trouble free for many years. Recently, I need to install Apache/Perl in a Windows 2003 Server that is in 64-bit. Because the server is in 64-bit, I am forced to upgrade Perl from the tried-and-true 5.6.1 to the new 5.12.3.0. That was when the problem starts. I find that the Perl/CGI script cannot use system() function to call OSQL.EXE. The call fails. I have tracked down the problem has to do with taint-check and the $ENV{PATH}: 1. If I run a Perl script (not a CGI) from command line, it has no problem calling OSQL.EXE. 2. If I run a Perl/CGI script in taint check mode, and ask it to call a DOS command like "ECHO" and I specify "C:\Windows\System32" in $ENV{PATH}, it has no problem doing this. 3. If I run a Perl/CGI script without taint check, and ask it to call OSQL.EXE, it has no problem doing this, and I don't need to touch the $ENV{PATH}. 4. However, if I run the same Perl/CGI script with the taint check mode turned ON, and ask it to call OSQL.EXE, it will fail regardless how I set the $ENV{PATH}. I have tried various combinations of the following two paths, none work: C:\Windows\System32 C:\Program Files (x86)\Microsoft SQL Server I have tried only the Sys32 path. I have tried only the SQL path. I have tried no path. And I have tried having both paths in $ENV{PATH}. None work. I believe the problem has to do with the use of system() function to call OSQL.EXE requires the access of two folders (Sys32 folder for system() and SQL folder for OSQL.EXE) in taint check mode. But the $ENV{PATH} only allows one single path in taint check mode. I don't understand why the script works fine in the older version of Perl, but not in the new version. I remember I had the same problem when I tried to upgrade to 5.8.0, and I was forced to downgrade back to 5.6.1. Now, I cannot put it off for another day any more. The only workaround that I know of is to turn OFF the taint check mode. But I don't like this because those Perl/CGI scripts may be used outside the company in the future (they run in intranet for now). Attached please find a Perl/CGI script that tries to use system() function to call OSQL.EXE in taint check mode. It tries to do this with both Sys32 folder and SQL folder in $ENV{PATH}. Unfortunately, it doesn't work. Would you please tell me if there is a solution to this problem? Thanks in advance. Jay Chan

jaychan New User Aug 28, 2013, 12:43 PM Post #2 of 3 (1670 views) Re: [jaychan] Cannot Call OSQL from Perl/CGI with Taint Check [In reply to] Can't Post I think I find out the solution. The path to OSQL.EXE has to be very specific. This means instead of this: C:\Program Files (x86)\Microsoft SQL Server The path has to be this: C:\Program Files (x86)\Microsoft SQL Server\80\Tools\Binn It has to get down to the folder where OSQL.EXE file is stored. I am glad that this is fixed. Jay Chan

jaychan New User Aug 28, 2013, 1:07 PM Post #3 of 3 (1666 views) Re: [jaychan] Cannot Call OSQL from Perl/CGI with Taint Check [In reply to] Can't Post I still don't understand why the Perl/CGI scripts have been working for so many years in the older version of Perl without setting $ENV{PATH} to the SQL\Bin folder. But I just have to apply the fix to all the Perl/CGI scripts. Jay Chan

Announcements     PerlGuru Announcements Perl Programming Help     Frequently Asked Questions     Beginner     Intermediate     Advanced     Regular Expressions     mod_perl     DBI     Win32 Programming Help Fun With Perl     Perl Quizzes - Learn Perl the Fun Way     Perl Golf     Perl Poetry Need a Custom or Prewritten Perl Program?     I need a program that...     I Need a Programmer for Freelance Work     Throw Down The Gauntlet General Discussions     General Questions     Feedback     Tutorial/Article Suggestions for The Learning Cent     Internet Security Other Programming Languages     Javascript     PHP

Search this forum this category all forums for All words Any words Whole Phrase (options)

Powered by Gossamer Forum v.1.2.0

Web Applications & Managed Hosting Powered by Gossamer Threads
Visit our Mailing List Archives