RE: [cgiapp] cgiapp_prerun (what about passing vars with: return $self->display

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cgiapp] cgiapp_prerun (what about passing vars with: return $self->display_login(); )

Subject: RE: [cgiapp] cgiapp_prerun (what about passing vars with: return $self->display_login(); )
Date: Wed, 18 Dec 2002 09:17:32 -0600
From: suppressed

A little bit of an optimization and security check - if all you are doing
is comparing if the username and password match, why not let SQL do it?

      my $query = "SELECT count(*) FROM user WHERE USER_ID = ? and
USER_PASSWORD = ?";
      my $sth = $dbh->prepare($query);
      $sth->execute($user_ID, $pass_word);
      my ($valid_login) = $sth->fetchrow_array ();    #This could also be
changed....

Then if the results of the query are >= 1, both match, and the data passed
in by the user is correct.  Saves a few cycles by letting the database do
what it is tuned to do, and removing some of your code.  In addition, the
password in the database is never passed back to the code, insulating the
passwords from the user (potential (cr|h)acker) by one more layer.

Additionally, the way the query was originally presented, the user could
pass some nefarious values and do something unexpected (SQL injection).
For example, if I were to pass a $user_ID of q/foo';DROP TABLE FOO;select 1
from dual where 'a'='a/, it is possible that some SQL engines would process
the multiple commands, and do something in your database you did not intend
to.  Using the "?" in the prepare command / query automagically handles all
of the necessary quoting.

Brian
----
Brian T. Wightman
suppressed
414.524.4025


                                                                                                              
                      suppressed                                                                        
                      et.au                    To:      suppressed                              
                                               cc:                                                            
                      12/18/02 08:37           Subject: RE: [cgiapp] cgiapp_prerun  (what about passing vars  
                      AM                       with: return $self->display_login(); )                         
                                                                                                              
                                                                                                              




Nope, it didn't work...

doesn't matter, though, I can stress about that some other time.

Right now I have another small question..

I have this code:

         my $user_ID  = $form_parameters->param('username');
         my $pass_word = $form_parameters->param('password');


         # Send them back to the login if they left a field blank.
         return $self->display_login() if $user_ID eq '';
         return $self->display_login() if $pass_word eq '';

       my $query = "SELECT USER_PASSWORD, USER_NAME FROM user WHERE USER_ID
= '$user_ID'";
              my $sth = $dbh->prepare($query);
                 $sth->execute();
              my ($passwd, $username) = $sth->fetchrow_array ();
            $sth->finish();

         # Validate the username..
         unless ($session->param("logged_in"))
         {

            if (!defined $passwd)
                {
                return $self->display_login();
                         }

                         else
                         {
                         # Validate the username/password.
                         # if the password exists at all, the username
                         # is valid.. then make sure the password is
correct.
                         # If not return to the login page.
                         unless ($passwd eq $pass_word)
                           {
                  return $self->display_login();
                           }
                           # Put some of the needed vars into the session.
                           $session->param('logged_in', 'yes');
                           $session->param('user_id', $user_ID);
                           $session->param('UserName', $username);
                  }
         }


Now its the latter part of this that I am interested in..
                         unless ($passwd eq $pass_word)
                           {
                  return $self->display_login();
                           }

I return them to the login if they didn't get it right.. I'd like to be
able
to pass them a message though..
for example. <font color='red'>Incorrect username or password</font>

If I want to pass that.. can I do this?
unless ($passwd eq $pass_word)
{
$self->param(Message => '<font color='red'>Incorrect username or
password</font>');
return $self->display_login();
}

Then pull it into the login sub and assign it a var

my $message = $self->param('Message');

Then add it to the vars I am passing to the template...
$login_page->param(message => $message);

Would that work, if so, is my syntax correct??? sorry to ask, but this
script is getting remarkably complicated for someone with my current skill
level, and I don't want to spend the next hour finding and removing the
code
I added if I get it wrong..

If it does work that way... I can add stuff to tell the user their session
has expired and that they should login again as well....


again, any tips would be great....

I love CGI::Application and HTML::Template,, I will never write another cgi
app the old way.. (nested if/elsif/else/unless loops)  THANKYOU!!!! to all
those that created these wonderful modules, and thankyou to all who help
teach newbies to them like me why they are so good.


regards

Franki



-----Original Message-----
From: William McKee [mailto:suppressed
Subject: Re: [cgiapp] cgiapp_prerun

Hi Franki,

Try setting a param in cgiapp_prerun using the following code:
             $self->param('user_id', $user_id) ;

Then retrieve this value in your mode_1 sub with this code:
             my $user_id = $self->param('user_id');

Good luck,
William


---------------------------------------------------------------------
Web Archive:  http://www.mail-archive.com/suppressed/
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed







---------------------------------------------------------------------
Web Archive:  http://www.mail-archive.com/suppressed/
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed

Follow-Ups:
- RE: [cgiapp] cgiapp_prerun (what about passing vars with: return $self->display_login(); )
  - From: Franki
- Re: [cgiapp] checking passwords using SQL
  - From: Thilo Planz

Prev by Date: RE: [cgiapp] cgiapp_prerun (what about passing vars with: return $self->display_login(); )
Next by Date: RE: [cgiapp] cgiapp_prerun (what about passing vars with: return $self->display_login(); )
Previous by thread: [cgiapp] logging in with CGI::Session and CGI::Application
Next by thread: RE: [cgiapp] cgiapp_prerun (what about passing vars with: return $self->display_login(); )
Index(es):
- Date
- Thread

Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.