#!/usr/bin/perl -T
#
# unsafe-form.pl
#
# CGI.pm Perl script demonstrating how easy it is to
# tamper with "hidden" form field values.
#
# Written by Advosys Consulting Inc., Ottawa
#
# Requires: Perl 5 with CGI.pm
#

# Include perl modules:
use CGI qw/:standard/;

# Print the MIME header before doing anything else:
print "Content-type: text/html\n\n";
print '<html><body>';
print '<h1>Unsafe input form demo</h1>';

# Assign some example values we don't want changed:
$userid = 'ktrout';
$credit_ok = 1;
$form_expires = '20001001:12:45:20';

# Display blank HTML form or check submission:
if ( ! param('chaddr') ) {
	print_form();
}
else {
	print "Thank you ", param('userid'), "<br>";
	print "Your address information has been updated.";
}

print "</body></html>";


### SUBROUTINES:
#

sub print_form {
# Prints example HTML form with signature in a hidden field:
print<<END_TEXT;
<p><form action="http://advosys.ca/cgi/unsafe-form.pl" method="post">
<table>
<tr>
<td><b>Address line 1:</b></td><td><input type="text" name="address1"></td>
<tr>
<td><b>Address line 2:</b></td><td><input type="text" name="address2"></td>
<tr>
<td><b>City:</b></td><td><input type="text" name="city"></td>
<tr>
<td><b>Prov:</b></td><td><input type="text" name="prov"></td>
<tr>
<td><b>Postal:</b></td><td><input type="text" name="postal"></td>
<tr><td colspan="2" align="center">
<input type="hidden" name="userid" value="$userid">
<input type="hidden" name="credit_ok" value="$credit_ok">
<input type="hidden" name="form_expires" value="$form_expires">
<input type="submit" name="chaddr" value="Change address">
</td></tr>
</table>
</form>
END_TEXT
}