Do a Google search for SQL Injection. You will get some interesting
results. http://www.sqlsecurity.com/faq-inj.asp actually uses an example
very similar to yours. If you use the "?" placeholders, and pass
parameters to the execute method, DBI takes care of the quoting for you,
and makes you life a little bit easier :).
Basically, when dealing with user input, "trust no-one". If there is any
piece of data that is "trusted" by your system, you should (in general)
inspect the *^^&suppressed out of it. I have even gone as far as doing this...
if ($userinput =~ /^(A_CHOICE|B_CHOICE|C_CHOICE)$/) {
$userinput = $1;
} else {
die "Invalid user input....";
}
... or this ...
if ($validdata{$userinput}) {
do_something($userinput);
} else {
die "Invalid user input...";
}
It tends to "untaint" the data, and ensures that no games are being played
with input. Sort of like testing the return values from all system calls
(we all do that all of the time, right ;). Read the POD documentation on
tainting, do a search of CPAN for taint, etc for other ways that
user-supplied data may be used to "break" a system.
BTW - no problem with asking for clarification or further questions. That
is how most of us learn.
Brian
----
Brian T. Wightman
suppressed
414.524.4025
suppressed
et.au To: suppressed
cc:
12/18/02 10:43 Subject: RE: [cgiapp] cgiapp_prerun (what about passing vars
AM with: return $self->display_login(); )
Cool,
Thanks for the tip.. I guess its obvious I'm still learning DBI/SQL as well
huh???
I would really appreciate everyone picking my code apart at any given
opportunity and telling me what I could be doing better.
Its the best way to learn I think...
One small question.. should i be using regex to pick apart any data
returned
for SQL queries???
and this line:
my $query = "SELECT USER_PASSWORD, USER_NAME FROM user WHERE USER_ID =
'$user_ID'";
since user_ID is surrounded by '', doesn't that mean that its passed to
mySQL as a string??
how could commands be put in that?? (I'm asking because I don't know, not
because I'm an asshole. :-)
rgds
Frank
-----Original Message-----
From: suppressed [mailto:suppressed
Sent: Wednesday, 18 December 2002 11:18 PM
To: suppressed
Cc: suppressed
Subject: RE: [cgiapp] cgiapp_prerun (what about passing vars with:
return $self->display_login(); )
A little bit of an optimization and security check - if all you are doing
is comparing if the username and password match, why not let SQL do it?
my $query = "SELECT count(*) FROM user WHERE USER_ID = ? and
USER_PASSWORD = ?";
my $sth = $dbh->prepare($query);
$sth->execute($user_ID, $pass_word);
my ($valid_login) = $sth->fetchrow_array (); #This could also be
changed....
Then if the results of the query are >= 1, both match, and the data passed
in by the user is correct. Saves a few cycles by letting the database do
what it is tuned to do, and removing some of your code. In addition, the
password in the database is never passed back to the code, insulating the
passwords from the user (potential (cr|h)acker) by one more layer.
Additionally, the way the query was originally presented, the user could
pass some nefarious values and do something unexpected (SQL injection).
For example, if I were to pass a $user_ID of q/foo';DROP TABLE FOO;select 1
from dual where 'a'='a/, it is possible that some SQL engines would process
the multiple commands, and do something in your database you did not intend
to. Using the "?" in the prepare command / query automagically handles all
of the necessary quoting.
Brian
----
Brian T. Wightman
suppressed
414.524.4025
suppressed
et.au To:
suppressed
cc:
12/18/02 08:37 Subject: RE: [cgiapp]
cgiapp_prerun (what about passing vars
AM with: return
$self->display_login(); )
Nope, it didn't work...
doesn't matter, though, I can stress about that some other time.
Right now I have another small question..
I have this code:
my $user_ID = $form_parameters->param('username');
my $pass_word = $form_parameters->param('password');
# Send them back to the login if they left a field blank.
return $self->display_login() if $user_ID eq '';
return $self->display_login() if $pass_word eq '';
my $query = "SELECT USER_PASSWORD, USER_NAME FROM user WHERE USER_ID
= '$user_ID'";
my $sth = $dbh->prepare($query);
$sth->execute();
my ($passwd, $username) = $sth->fetchrow_array ();
$sth->finish();
# Validate the username..
unless ($session->param("logged_in"))
{
if (!defined $passwd)
{
return $self->display_login();
}
else
{
# Validate the username/password.
# if the password exists at all, the username
# is valid.. then make sure the password is
correct.
# If not return to the login page.
unless ($passwd eq $pass_word)
{
return $self->display_login();
}
# Put some of the needed vars into the session.
$session->param('logged_in', 'yes');
$session->param('user_id', $user_ID);
$session->param('UserName', $username);
}
}
Now its the latter part of this that I am interested in..
unless ($passwd eq $pass_word)
{
return $self->display_login();
}
I return them to the login if they didn't get it right.. I'd like to be
able
to pass them a message though..
for example. <font color='red'>Incorrect username or password</font>
If I want to pass that.. can I do this?
unless ($passwd eq $pass_word)
{
$self->param(Message => '<font color='red'>Incorrect username or
password</font>');
return $self->display_login();
}
Then pull it into the login sub and assign it a var
my $message = $self->param('Message');
Then add it to the vars I am passing to the template...
$login_page->param(message => $message);
Would that work, if so, is my syntax correct??? sorry to ask, but this
script is getting remarkably complicated for someone with my current skill
level, and I don't want to spend the next hour finding and removing the
code
I added if I get it wrong..
If it does work that way... I can add stuff to tell the user their session
has expired and that they should login again as well....
again, any tips would be great....
I love CGI::Application and HTML::Template,, I will never write another cgi
app the old way.. (nested if/elsif/else/unless loops) THANKYOU!!!! to all
those that created these wonderful modules, and thankyou to all who help
teach newbies to them like me why they are so good.
regards
Franki
-----Original Message-----
From: William McKee [mailto:suppressed
Subject: Re: [cgiapp] cgiapp_prerun
Hi Franki,
Try setting a param in cgiapp_prerun using the following code:
$self->param('user_id', $user_id) ;
Then retrieve this value in your mode_1 sub with this code:
my $user_id = $self->param('user_id');
Good luck,
William
---------------------------------------------------------------------
Web Archive: http://www.mail-archive.com/suppressed/
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed
---------------------------------------------------------------------
Web Archive: http://www.mail-archive.com/suppressed/
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed
---------------------------------------------------------------------
Web Archive: http://www.mail-archive.com/suppressed/
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.