How do I do basic CGI file security?
Posted on 2002-06-23
I would like to write CGI files that can be called from server-side (PHP) code in my site's Web pages, but that cannot be browsed to by the remote user's browser or by Web pages the remote user might write.
The problem I'm trying to solve is illustrated by this example:
Let's say I want to write '/cgi-bin/counter.pl', a hit counter. It will access data file 'count.dat' also located in the cgi-bin dir. I want to increment the hit count by calling counter.pl from PHP (server-side) code in my home page (possibly sending GET or POST arguments to counter.pl), but I don't want the remote user to be able to call counter.pl and mess up the count.
That is, I want counter.pl to be callable from my Web site but not from anyone else's Web site.
Normally, of course, the user can browse to any CGI file. This will execute or interpret the file and send its output back to the user's browser. I would like this default behavior to continue for all CGI files except counter.pl.
I'm sure I'm missing something very basic indeed. It would be wonderful if someone can enlighten me, or point me to a good tutorial.