Re: CGI Change Password (LDAP)


Think about Loose Coupling
	PerlMonks

Re: CGI Change Password (LDAP)

by tachyon (Chancellor)

on Dec 11, 2004 at 01:23 UTC ( [id://414035]=note: print w/replies, xml )

Need Help??

in reply to CGI Change Password (LDAP)

Unless you run this over https it is insecure as the password goes over the wire in plaintext. You have a CGI object. It contains all the params. Why not just pass that to your validate and change functions? Typically I use the return null string if function succeeds or error string if it fails. This lets you avoid globals like your g_err_msg. Then the app logic goes:

if ( $q->param ) {
    my $err_msg = validate( $q );
    if ( $err_msg ) {
        show_form($err_msg);
    }
    else {
        my $msg = change_pass( $q );
        show_form( $msg );   # msg may be error or success message
    }
}
else {
    show_form();
}
exit 0;
[download]

I can't see how it might be exploited but is is usually wise to limit CGI user input to a selected range of characters. The null byte hack is one issue this attends to.

cheers

tachyon

Comment on Re: CGI Change Password (LDAP) Download Code

In Section Seekers of Perl Wisdom

Domain Nodelet^?

www.com | www.net | www.org

Node Status^?

node history
Node Type: note [id://414035]
help

Chatterbox^?

How do I use this? • Last hour • Other CB clients

Other Users^?

Others having an uproarious good time at the Monastery: (3)

As of 2024-04-25 05:45 GMT

Sections^?

Information^?

Find Nodes^?

Leftovers^?

Today I Learned

Voting Booth^?

No recent polls found