why username and password http request showing on the web address

Muskovitz has asked for the wisdom of the Perl Monks concerning the following question:

i create a simple Perl/CGI application login script but the heres my sample code

"login.pl"

print <<table;
Content-type: text/html\n\n
<center>
<form action="index.pl" method="GET">
Login to <b>buzzlr.</b><br /><br />
Username:&nbsp;<input type="text" name="username" /><br /><br />
Password: &nbsp;<input type="password" name="password" /><br /><br />
<div align="center">
<input type="submit" name="submit" value="Login" />
</div>
</form>
[download]

"index.pl"


#!/usr/bin/perl

use DBI;
use DBD::mysql;

local ($buffer, @pairs, $pair, $name, $value, %FORM);
# Read in text
$ENV{'REQUEST_METHOD'} =~ tr/a-z/A-Z/;
if ($ENV{'REQUEST_METHOD'} eq "GET")
{
   $buffer = $ENV{'QUERY_STRING'};
}
# Split information into name/value pairs
@pairs = split(/&/, $buffer);
foreach $pair (@pairs)
{
   ($name, $value) = split(/=/, $pair);
   $value =~ tr/+/ /;
   $value =~ s/%(..)/pack("C", hex($1))/eg;
   $FORM{$name} = $value;
}
$username = $FORM{username};
$password  = $FORM{password};

...
[download]

any answers will appreciated!

Comment on why username and password http request showing on the web address Select or Download Code

Replies are listed 'Best First'.
Re: why username and password http request showing on the web address by Perlbotics (Archbishop) on Jan 18, 2015 at 15:32 UTC
This is rather a HTTP/HTML question. First thing to do is to replace `GET` with `POST` (Content-Type: application/x-www-form-urlencoded). The former will put the attribute value pairs into the HTTP requests URI (after `index.pl` and a questionmark - the line you see in the browsers address-bar). From a security point of view, this is still insecure. It can be improved by using HTTPS and/or message digesting the credentials. With respect to the Perl aspect of this question, have a look at CGI - it has been removed from the Perl core recently, so you might need to install it from CPAN. For a more modern approach have a look at Dancer or Mojolicious. Update (see question below): Have a look at the PRG pattern that avoids the browser's warning when reloading the page or using the back button.	[reply] [d/l] [select]
Re^2: why username and password http request showing on the web address by Muskovitz (Scribe) on Jan 18, 2015 at 17:13 UTC
changing GET to POST worked but when i try to put this line to my code: `Content-Type: application/x-www-form-urlencoded` when i reload the page, there's a pop up requesting to download the file. But thanks anyways now the link doesn't show up	[reply] [d/l]
Re^3: why username and password http request showing on the web address by Anonymous Monk on Jan 18, 2015 at 21:00 UTC
Yeah, thats a form attribute not a header ... see cgi101, CGI, Re^7: Perl CGI -disabled, Mojolicious::Lite +and jQuery +AJAX + Mojo::Template, Re: HTML::Template not working	[reply]