In order to effect the dynamic creation of the data structure that is passed to GD::Graph, we must have some kind of logical front end that accepts 'passed values' from the user.

To illustrate, an SQL query could be used to dynamically allocate values to a given data structure. This SQL query may quite likely have 'from' and 'to' date fields.

It could be a temptation to generate an SQL query and pass it as a parameter to the CGI application responsible for populating the data structure and hence plotting a graph.

If not all of an SQL query, perhaps some of an SQL query could be passed. For example, the 'where ....' clause.

Either of these or similar approaches are bad from a security point of view where users or rather, unwanted users could attempt to bypass whatever CGI validation you may have within your presentation layer and post their own values straight to the graphing module.

Data that should not be made public or denial of service attacks could then be a real risk.

It is important therefore to protect against such 'session variable data' getting into the wrong hands.

CGI::Session and other similar modules offers the facility to pass these variables from one session to another within a file or data structure that is held ON THE WEB SERVER ONLY and referenced to by a client side cookie or URL reference.