elviajero — 2010-03-19T10:42:51-04:00 — #1
Hi webmasters, I've been searching on the web about security on source code on perl scripts and shtml files (server side includes). How safe is the code? I don't want people looking into my code.
My concern comes from this: On php the file itself ".php" has the source code, is the script AND the html, BUT when occasionally when certain types of server overloads occur the server WONT exec the script but instead will let you download the file. This means that at certain point the users might be able to download a php file as it is, (with the code) instead of the parsed html output.
I've only seen this problem happening with php files (or the internal server error message). As for the same overload I've never seen a perl script behaving the same except for the "internal server error" or "some out of memory error". I'm pretty confident on perl script (.pl - .cgi).
On a related note, do shtml files get the same problem as php files? I'm planning to implement pages with conditions where depending on a parameter some html will be shown and the other part will not be shown. This can be made via shtml files, my concern is if at some point there is any situation where the server will let the user download the file (something I don't want to). There are other ways to solve what I'm planning to do, is just that at this point it is better to hold on a xx.com/script.shtml than xx.com/cgi-bin/script.pl as url.
thanks in advance
dan_grossman — 2010-03-19T11:06:02-04:00 — #2
On a properly configured server, this should never, ever happen, no matter the file extension. It doesn't matter if the server is overloaded to the point that most requests aren't even getting responses, the behavior doesn't change, the server doesn't start sending out code.
elviajero — 2010-03-19T11:29:45-04:00 — #3
stomme_poes — 2010-03-19T11:54:29-04:00 — #4
There are other ways to solve what I'm planning to do, is just that at this point it is better to hold on a xx.com/script.shtml than xx.com/cgi-bin/script.pl as url.
Since your server should be able to rewrite urls, this should also never be an issue. Lots of sites are running on Perl and you do not see the cgi folder or somescript.pl (example: booking.com, amazon.com, bbc.co.uk, I happen to know are running Perl. But you never learn that via the URL)
elviajero — 2010-03-19T12:39:40-04:00 — #5
thanks I have considered that as an alternative (url rewriting). The reason I'm considering shtml is I can mod any of the many html pages on dreamweaver at any time instead of having html and then converting to "html inside-perl".
I code by hand, I use DW at the minimum, is just that for this project it seems the best option to have the html editable. Thanks