reg access of stored session variable

amithublikar has asked for the wisdom of the Perl Monks concerning the following question:

hi ,

I am new to perl .I have a query regarding accessing stored session .Kindly pls help :

here is my firstpage.pl

#!/usr/bin/perl  -w
use strict;
use DBI;
use CGI qw/:all :html3/;
use CGI::Carp qw(fatalsToBrowser);
my $cgi = new CGI;
use CGI::Session qw();
my $session = CGI::Session->new();
print $cgi->header;
print $session->header;
print "<html><head>";
print "</head>";
print "<body>";

# here are the values from the HTML form
my $username = param('username');
my $password = param('password');
my $groups;

my $dbh=DBI->connect('DBI:mysql:database=:host=:user=root') || die "Co
+uld not connect to database: ". DBI->errstr;

my $query = "select  user,password,groups  from login_ro where user li
+ke '$username' and password like '$password' ";

my $sth=$dbh->prepare($query) or die "Couldnt prepare statement:" .$db
+h->errstr;

$sth->execute();

if(($username,$password,$groups)= $sth->fetchrow_array)
            {

                          chomp($username);
                                    chomp($password);
                                    chomp($groups);


                                    print "<meta http-equiv=\"refresh\
+" content=\"0; url=./dashboard_status.pl?groups=$groups\" />";
                                    print "<input type=hidden name=\"u
+sername\" value=\"$username\">";
                                     $session->param("ro", $groups);
                                     $session->param("user", $username
+);
                                     $session->param(User_id => 'U0000
+2');



                                     my $regional_office = $session->p
+aram("ro");
                                     print "$regional_office";
                                     my $tmp=$session->param("User_id"
+);
                                     print "$tmp";
            }


            else {
                print "<meta http-equiv=\"refresh\" content=\"0; url=.
+/errlogin.pl\" />";
            }





# print bottom of page
print <<HTML;
</body>
</html>
HTML
[download]

this is my second.pl page:

#!/usr/bin/perl  -w
use strict;
use warnings;
use DBI;
use CGI qw/:all :html3/;
use CGI::Carp qw(fatalsToBrowser warningsToBrowser);
use CGI::Session qw();
use sub test();
my $cgi = new CGI;
print "<html><head>";
my $session = CGI::Session->new((undef, $cgi, {Directory=>"/tmp"}));
$session = CGI::Session->new();
print $session->header;
my $dbh=DBI->connect('DBI:mysql:database=:user=root;host=') || die "Co
+uld not connect to database: ". DBI->errstr;

my $group = param('groups');
my $atmcount;
my $regional_office = $session->param('ro');          ///here is am ac
+cesing stored session 
my $tmp= $session->param('User_id');

print "regional--->$regional_office";
 my $user = $session->param('user');
[download]

but I am not able to access the stored session .Kindly please help .

Comment on reg access of stored session variable Select or Download Code

Replies are listed 'Best First'.
Re: reg access of stored session variable by CountZero (Bishop) on Nov 11, 2013 at 11:23 UTC
My answer has nothing to do with your session problems, but the way you construct your query string is setting you up for a Bobby Tables-attack (aka SQL injection attack). Have a look at SQL Injection and use placeholders rather than directly interpolating your data. CountZero A program should be light and agile, its subroutines connected like a string of pearls. The spirit and intent of the program should be retained throughout. There should be neither too little or too much, neither needless loops nor useless variables, neither lack of structure nor overwhelming rigidity." - The Tao of Programming, 4.1 - Geoffrey James My blog: Imperial Deltronics	[reply]
Re: reg access of stored session variable by hippo (Archbishop) on Nov 11, 2013 at 11:29 UTC
I've never used CGI::Session, but this looks wrong: `my $session = CGI::Session->new((undef, $cgi, {Directory=>"/tmp"})); $session = CGI::Session->new();` [download] Do you mean to overwrite the `$session` variable here? Also, your DB query in the first script looks susceptible to an SQL injection.	[reply] [d/l] [select]
Re: reg access of stored session variable by Mr. Muskrat (Canon) on Nov 11, 2013 at 16:21 UTC
I won't repeat what has already been said about your database code but read it again, it's important. In the first piece of code you are doing something odd: `print $cgi->header; print $session->header;` [download] I don't think that it will cause a failure but you might want to examine the generated headers to be certain. You really only the second line. Moving on to second piece of code... What is `use sub test();` supposed to do? I'm not familiar with the sub pragma. Is it one you wrote or should that really be `use subs qw(test);`? You cannot print anything in a CGI program before printing the headers but you've done just that. Move the `print "<html><head>";` after the call to `print $session->header;`.	[reply] [d/l] [select]
Re: reg access of stored session variable by Anonymous Monk on Nov 11, 2013 at 23:22 UTC
Try structuring your program like this, only print headers/content in one place , it makes debugging easier Read more... (2 kB)	[reply] [d/l]