Check if the username & password exist in the database

[Guest_imported]

The following script should take the username and the password from the form and match it with the database. If the user exists then he can continue, otherwise he has to register. The thing is that although everything seems correct, it does not work! Could anyone tell me what's wrong? :-(

#!/usr/bin/perl

'usr/pub/prepare postgr';

use CGI;
use DBI;

$|=1;
print "Content-type: text/html\n\n";

#Get input from the web

if ($ENV{'REQUEST_METHOD'} eq "POST&quot {
read (STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
} else {
$buffer = $ENV{'QUERY_STRING'};
}
@pairs= split(/&/, $buffer);
foreach $pair (@pairs) {
($name, $value) = split(/=/, $pair);
$value =~ tr/+/ /;
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack ("C", hex($1))/eg;
$contents{$name} = $value;
}

$regexp = &quot;[\<\>\|\;\,\']&quot;;


$mname = $contents{'username'};
$mname =~ s/$regexp//g; #remove suspect chars

$mpwd = $contents{'password'};
$mpwd =~ s/$regexp//g; #remove suspect chars



#opens database

my ($dbh, $sth, $z);

$dbtype = &quot;Pg&quot;;
$database= &quot;xxxx&quot;;
$dbserver= &quot;xxxxxxx&quot;;
$dbport= 5432;


$data_source = &quot;dbi:$dbtype:dbname=$database;host=$dbserver;port=$dbport&quot;;

$dbh = DBI->connect(&quot;$data_source&quot;, &quot;&quot;, &quot;&quot;



$z = &quot;select username, password from supervisor where (($mname='username') and ($mpwd='password'))&quot;;

$sth = $dbh->prepare($z);
$sth->execute();


while (@row=$sth->fetchrow_array())
{
$html=$html.&quot;@row&quot;;
}

$sth->finish();
$dbh->disconnect;


if ($html eq &quot; &quot
{
print <<&quot;HTMLHEAD&quot;;
<HTML>
<HEAD>
<TITLE>WRONG!</TITLE>
</HEAD>
<BODY>
<P>
<CENTER>
<A HREF=&quot;

http://www.register.htm&quot;>Register</A>

<P>
</BODY>
</HTML>
HTMLHEAD
}
else
{
print <<&quot;HTMLHEAD&quot;;
<HTML>
<HEAD>
<TITLE>RIGHT PASSWORD AND USERNAME</TITLE>
</HEAD>
<BODY>
<h2><center>You have successfully logged in!</center></h2>
<h2><center>Click on the link to enter..</center></h2>
<CENTER>
<A HREF=&quot;

http://www.student.htm&quot;><h2><i>Enter</i></h2></A>

</CENTER>
</BODY>
</HTML>
HTMLHEAD
}

 

[sophisticate]

A few things catch my attention.

First off, what is this?

'usr/pub/prepare postgr';

Perhaps those are meant to be backticks (`)? Or just fun with anonymous scalars?

Next, as far as the suspect chars thing goes, your regex might be better expressed as [^\w] which would remove anything that was not a letter, number or underscore. You can then start to allow other characters, one by one. This is a common technique in firewall design -- deny all, then allow things one at a time, rather than trying to specifically deny each individual item.

Third, I think the SQL statement that you use declares the comparisons in the wrong order... I believe that it goes [column name] = [data], rather than [data] = [column name]. So instead of:

(($mname='username') and ($mpwd='password'))";

You would have:

((username='$mname') and (password='$mpwd'))";

Four: Instead of creating a scalar with the data from your query, and testing against its emptiness, just set a flag in the first execution of your while{} statement and move on. So your while loop/if statement looks like:

while(my @row = $sth->fetchrow_array) {
    $flag = 1; last;
}
if($flag) { validated }
else  { not validated }

This avoids errors in DBI's $sth->rows() function and seems the easiest way to fix the problem in this script. Of course, this is Perl, so TMTOWTDI.

Lastly, perhaps this is just for testing, but understand that as this code stands right now, it offers no security. All one would have to do is directly access

http://yourserver/student.htm

and bypass authentication entirely.

Hope this helps,

brendanc@icehouse.net

http://www.witheredpipedream.com

 

[Guest_imported]

Thank you, you had absolutely right about the SQL statement, it works fine now. I am trying now to change this script so that it can check if the username and the password belong to a stuent or a tutor. I've tried that by adding an if statement but this doesn't really help.

Do you have any suggestions?

 

[tsdragon]

I don't know what your database field for student-or-tutor is called, but for the sake of argument, let's call it &quot;status&quot;. Change your select statement to &quot;select username,password,status ...&quot;. Then on success @row will contain 3 elements: $row[0] is username, $row[1] is password, and $row[2] is status. Then you just need to an if that says:

if ( $row[2] eq "student" ) {
   # student stuff here
} elsif ( $row[2] eq "tutor" ) {
   # tutor stuff here
} else {
   # not student or tutor
}

Tracy Dryden
tracy@bydisn.com

http://www.bydisn.com

Meddle not in the affairs of dragons,
For you are crunchy, and good with mustard.

 

[Guest_imported]

Thank you, it does work!! ;-)

 

[tsdragon]

You're quite welcome! Glad I could be of assistance.
Tracy Dryden
tracy@bydisn.com

http://www.bydisn.com

Meddle not in the affairs of dragons,
For you are crunchy, and good with mustard.

 

[Subzero007]

I just had to stop and say that Dragon is the BEST man. Not only does he know everything about Perl (or where to find out where the info is) but he takes the time to teach us what he knows. You're the man dragon!

 

[tsdragon]

Gee, thanks! :~/ Believe it or not, I don't know everything. sophisticate and goBoating in particular have taught me a few new things too. Tracy Dryden
tracy@bydisn.com

http://www.bydisn.com

Meddle not in the affairs of dragons,
For you are crunchy, and good with mustard.

 

[sophisticate]

You're too kind, Tracy.

But regardless of the knowledge goBoating, myself or any other member has, you're the most active poster in this forum. Kudos to you.

brendanc@icehouse.net

http://www.witheredpipedream.com

 

[goBoating]

I concur - kudos to the Dragon! Good work.


keep the rudder amid ship and beware the odd typo