Re^16: global var

Replies are listed 'Best First'.
Re^17: global var by tultalk (Monk) on Apr 11, 2017 at 18:09 UTC
Test Program Error Log `Can' find the log Padre file` [download] Real Program Error log: found:/home/jalamior/www/httpsdocs/cgi-bin/lib/perl/manageusers.pm at update_tables-development.cgi line 41. Tue Apr 11 11:26:22 2017 update_tables-development.cgi: found:/home/jalamior/www/httpsdocs/cgi-bin/lib/perl/manageusers.pm at update_tables-development.cgi line 41. Can't opendir /usr/local/apache/lib/perl: No such file or directory at update_tables-development.cgi line 38. Tue Apr 11 11:26:22 2017 update_tables-development.cgi: Can't opendir /usr/local/apache/lib/perl: No such file or directory at update_tables-development.cgi line 38. `Line 30 use manageusers qw($LoggedOn_user_id); { use strict; use warnings; my %wanted; $wanted{manageusers}=1; for my $inc (@INC) { opendir (my $dh,$inc) \|\| warn "Can't opendir $inc: $!"; while (my $file=readdir $dh) { if ($file=~m/(.*)[.]pm$/) { if ($wanted{$1}) { warn 'found:'.$inc.'/'.$file; } } } closedir $dh; } }` [download] You say: and saying And later I populate the variable with the desired data is easy, proving it is not as easy. So cut and paste ALL of manageusers::OpenConnection() and ALL of every subroutine it calls to prove that you do set $manageusers::LoggedOn_user_id properly every time and dont set it back to zero somewhere else. I don't understand the question. Search all fdiles on manageusers::OpenConnection(); yields 10 hits. `manageusers::OpenConnection(); manageusers::OpenConnection(); manageusers::OpenConnection(); manageusers::OpenConnection(); manageusers::OpenConnection(); manageusers::OpenConnection(); manageusers::OpenConnection(); manageusers::OpenConnection(); manageusers::OpenConnection(); manageusers::OpenConnection();` [download] They all call the same function #--------------------------------------------------------------------- +---------- # Database Conection Functions #--------------------------------------------------------------------- +---------- # FUNCTION: OpenConnection() # DESCRIPTION: Connect to the MySQL database #--------------------------------------------------------------------- +---------- sub OpenConnection { my $localtimenow = localtime(Now()); $dbh = DBI->connect($dsn,$sql_username,$sql_password) or ErrorMessage("Could not connect to the database."); warn("Open Connection-JustBefore returning database handle: '$dbh' + Current Time: '$localtimenow'"); return $dbh; } [download] You say: prove that you do set $manageusers::LoggedOn_user_id properly every time and dont set it back to zero somewhere else It is oly populated at two places. For a new logged on user it gets the id from the session table. For an already logged on user (cookie expires 7 days) it get the ID from the session table based on the SID lookup. `New login warn("Hash evaluation succeded - $passhash = $passhash1 : $sessiondata +2 = $sessiondata2md5p"); my $timein = time(); $session->param('user_id',$uid); $session->param('username',$username); $session->param('forename', $forename); $session->param('lastname', $lastname); $session->param('timein', $timein); $session->param('timeout', 0); $session->param('attempts',0); $session->param('isloggedin',1); $session->expires('+7d'); $LoggedOn_user_id = $uid; #$session->param("user_id");` [download] `Already logged on if ($status == 1) { warn("Process Login returning after confirmed already logged in: s +tatus: '$status' sessionname: '$sessionname' SID: '$sid'"); my $username1 = $session->param("user_id"); warn("username1 : '$username1'"); $LoggedOn_user_id = $username1; warn("Already logged on LoggedOn_user_id : '$LoggedOn_user_id'");` [download]	[reply] [d/l] [select]
Re^18: global var by huck (Prior) on Apr 11, 2017 at 18:33 UTC
are those log messages from both the one that was failing and the one that worked? its hard to tell IF the only thing you call in the working example is manageusers::OpenConnection() then why you you expect $manageusers::LoggedOn_user_id to be anything but zero? So You have yet to prove that you are actually setting $manageusers::LoggedOn_user_id by code that is being run anywhere. Show us all of the subroutines that contain the following code and any subroutines they call New login warn("Hash evaluation succeded - $passhash = $passhash1 : $sessiondata +2 = $sessiondata2md5p"); my $timein = time(); $session->param('user_id',$uid); $session->param('username',$username); $session->param('forename', $forename); $session->param('lastname', $lastname); $session->param('timein', $timein); $session->param('timeout', 0); $session->param('attempts',0); $session->param('isloggedin',1); $session->expires('+7d'); $LoggedOn_user_id = $uid; #$session->param("user_id"); [download] Already logged on if ($status == 1) { warn("Process Login returning after confirmed already logged in: s +tatus: '$status' sessionname: '$sessionname' SID: '$sid'"); my $username1 = $session->param("user_id"); warn("username1 : '$username1'"); $LoggedOn_user_id = $username1; warn("Already logged on LoggedOn_user_id : '$LoggedOn_user_id'"); [download] In particular where $uid gets set before you run `$LoggedOn_user_id = $uid;`. and i can become any user i want to be by manipulating the user_id parm i send back to you, that doesnt seem very secure does it? It is easy to create code that sends back any value i want in the user_id field	[reply] [d/l] [select]
Re^19: global var by tultalk (Monk) on Apr 11, 2017 at 20:14 UTC
are those log messages from both the one that was failing and the one that worked? its hard to tell. The one that failed. No log from the one that worked . Ran in Padre and can't find log. "You have yet to prove that you are actually setting $manageusers::LoggedOn_user_id by code that is being run anywhere." The rwo code blocks above do exactly that. Entire code at end Filled with comments You say: In particular where $uid gets set before you run $LoggedOn_user_id = $uid; . $uid is popuated earlier in processing a new logon. "and i can become any user i want to be by manipulating the user_id parm i send back to you, that doesn't seem very secure does it? It is easy to create code that sends back any value i want in the user_id field" That makes no sense to me. When a legitimate user tries to log in, the username and password are encrypted and sent back for comparison to the username/password from the database as encrypted by the same algorithm on the server. #--------------------------------------------------------------------- +---------- # FUNCTION: ProcessLogonRequest($query) # DESCRIPTION: Client requests log in: create session and send encrypt +ion data #--------------------------------------------------------------------- +---------- sub ProcessLoginRequest { my ($query) = @_; my $status = 0; # $sessionname = 'CGISESSID'; # my %cookies = CGI::Cookie->fetch; # my $sid = $cookies{$sessionname}->value; my $sid = GetUserSessionCookie(); warn("ProcessLoginRequest Query: '$query'"); warn("ProcessLoginRequest SID from cookie: '$sid'"); #Check if it got valid return from fetch cookie if ($sid ne 0){ $status = 1; } #Or, check if valid return from cgi query elsif($query){ # if (exists $query{$sessionname}){ $sid = $query->param($sessionname); if ($sid){ warn("ProcessLogin Request SID from Query: '$sid'"); $status = 1; } else{ $sid = undef; $status = 2; } } else { #Set up for creating a new session $sid = undef; $status = 2; } # $sid = '7032f2c7f5a2c721a483dc75fc29595e'; $session = new CGI::Session("driver:MySQL", $sid, {Handle=>$dbh}); warn("session = '$session'"); OpenSession($dbh,$sid); $session->param("#<expires>#",0); $session->param("isloggedin",0); $session->flush(); $sid = $session->id(); warn("ProcessLogin Request SID from from session create: '$sid'"); my $sessiondata1 = $sid; #id created by CGI::Session; if ($status == 1) { warn("Process Login returning after confirmed already logged in: s +tatus: '$status' sessionname: '$sessionname' SID: '$sid'"); my $username1 = $session->param("user_id"); warn("username1 : '$username1'"); #my ($digits) = $text =~ /(\d+)/; #my ($user_id) = $username1 =~ /(\d+)/; #my $text = $username1; #$text =~ m/(\d+)/; #my $num = $1; #warn("num: '$num'"); #$username1 =~ m/(\d+)/; $LoggedOn_user_id = $username1; warn("Already logged on LoggedOn_user_id : '$LoggedOn_user_id'"); + #$LoggedOn_user_id = 428; $adminaccess = ($username1 eq "admin"); warn("username1: '$username1'"); warn("adminaccess: '$adminaccess'"); $session->param("isloggedin",1); $session->param('timein', time()); $session->flush(); return (1, "Your previous session is still valid. You are now logg +ed in.", $sid, 0); } warn("Process Login after verify not logged in and new session: stat +us: '$status' sessionname: '$sessionname' SID: '$sid'"); #Random hash for encoding password my $seed_number = CreateRandomSequence(10, 1); my $seed_string = CreateRandomSequence(10, 0); my $sessiondata2 = md5_hex($ipaddress . $seed_number . $seed_string) +; $session->param('sessiondata2',$sessiondata2); $session->expires('+7d'); # Expires($session, Now() + 600); $session->flush(); my $localtimenow = localtime(Now()); warn("Process Login Request localtime(rightnow) = '$localtimenow'"); return (2, $sessionname, $sessiondata1, $sessiondata2); } [download] sub LoginUser { my ($query) = @_; my ($day, $month, $year) = (localtime())[3,4,5]; my $localtimenow = localtime(Now()); $month = $month + 1; $year = $year + 1900; warn("Day: '$day' Month: '$month' Year: '$year'"); my $currentdate = sprintf("%04d-%02d-%02d",$year,$month,$day); # warn("LoginUser-JustBefore Open Session Current Time: '$localtim +enow'"); my $sid = $query->param('CGISESSID'); if (!$sid){ warn("Invalid SID at LoginUser "); return 0; } warn("LoginUser-JustBefore Open Session Current Time: '$localtime +now'"); OpenSession($dbh,$sid); warn("LoginUser session: '$session' sid: '$sid'"); my ($result, $login_timeout) = checkTimeinAttempts(); warn("Returned result LoginUsercheckTimeinAttempts $result"); if (($result == 0) \|\| ($result == 4) \|\| ($result == 5)) { if ($result == 5) { warn("Returned result 5: $result"); # $session->delete(); # $session->flush(); return ($result, $login_timeout); } else{ warn("Returned result other than 5: '$result'"); # $session->delete(); # $session->flush(); return $result; } } my $username = $query->param("username"); my $sessiondata2 = $query->param("sessiondata2"); my $passhash = $query->param("passhash"); $adminaccess = ($username eq "admin"); warn("For AdminControl: $username"); warn("For AdminControl: $adminaccess"); my $SQL = qq\|select user_id, password, forename, lastname, expire +from $sql_user_table where username = '$username'\|; warn("Ready to execute SQL: $SQL"); warn("LoginUser-JustBefore Execute Query Current Time: '$localtim +enow'"); my $sth = ExecuteQuery($SQL); my ($uid,$password,$forename,$lastname,$expiredate) = $sth->fetchr +ow_array(); $sth->finish; warn ("LOGIN ATTEMPT USER INFORMATION Uid: $uid username: $usernam +e password: $password ipaddress: $ipaddress"); # if we get an invalid username disconnect,disconnect and return w +ithout access if (!$uid) { warn("Invalid Password manageusers Retrun 0"); # $session->delete(); # $session->flush(); return 0; } # if the users expire date is less then the current date, disconne +ct and # return without access #strip characters so numeric comparison caan be made $expiredate =~ s/-//g; $currentdate =~ s/-//g; warn(" Expire Date: '$expiredate' Current Date: '$currentdate +' "); if($expiredate < $currentdate){ # $session->delete(); # $session->flush(); return 2; } else { $sid = $session->id(); my $sessiondata2s = $session->param('sessiondata2'); # warn("sessiondata2 from session: '$sessiondata2s'"); my $sessiondata2md5p = md5_hex($password . $sessiondata2s); my $passhash1 = md5_hex($password . $username); if (($passhash ne $passhash1) \|\| ($sessiondata2 ne $sessiondata2md5p)) { warn ("SID: '$sid' username: '$username' password: '$password +'"); warn("Hash evaluation failed - $passhash = $passhash1 : $sess +iondata2 = $sessiondata2md5p"); # $session->delete(); # $session->flush(); return 0; } warn("Hash evaluation succeded - $passhash = $passhash1 : $sess +iondata2 = $sessiondata2md5p"); my $timein = time(); $session->param('user_id',$uid); $session->param('username',$username); $session->param('forename', $forename); $session->param('lastname', $lastname); $session->param('timein', $timein); $session->param('timeout', 0); $session->param('attempts',0); $session->param('isloggedin',1); $session->expires('+7d'); $LoggedOn_user_id = $uid; #$session->param("user_id"); #$LoggedOn_user_id = $username =~ /(\d+)/; warn("New User Login LoggedOn_user_id : '$LoggedOn_user_id'"); + #$LoggedOn_user_id = 428; #Expires($session, Now() + (86400*7)); AccessInOutLog($session); #Added 02/18/05 my $isloggedin = $session->param('isloggedin'); warn("Login User : SID '$sid' Session Logged In '$isloggedin' +"); $session->flush(); #Set session cookie on client SetUserSessionCookie('CGISESSID', $sid); my $gmtimenow = gmtime(Now()); my $localtimenow = localtime(Now()); return 3; } } [download]	[reply] [d/l] [select]
Re^20: global var by huck (Prior) on Apr 11, 2017 at 23:44 UTC
Re^21: global var by tultalk (Monk) on Apr 19, 2017 at 02:28 UTC
Re^21: global var by tultalk (Monk) on Apr 20, 2017 at 22:42 UTC
Re^17: global var by Anonymous Monk on Apr 11, 2017 at 21:16 UTC
This is how you write that shorter and better `use WHATEVER(); ## no imports, repeat for all failing modules BEGIN{warn join "\n" , %INC, " " } ## log which files were loaded` [download]	[reply] [d/l]
Re^18: global var by huck (Prior) on Apr 11, 2017 at 21:51 UTC
No it isnt, notice i didnt stop when i found it, like use/require does.	[reply]
Re^19: global var by Anonymous Monk on Apr 11, 2017 at 22:33 UTC
No it isnt, notice i didnt stop when i found it, like use/require does. Why is that important? use/require only load one file	[reply]
Re^20: global var by huck (Prior) on Apr 11, 2017 at 22:59 UTC
Re^21: global var by Anonymous Monk on Apr 12, 2017 at 00:06 UTC
Some notes below your chosen depth have not been shown here