Basic var verification problem - I'm ashame to have to ask this...

DaWolf has asked for the wisdom of the Perl Monks concerning the following question:

Greetings, fellow monks.

I'm really ashame... I'm designing a system that starts with a login screen. I check with an Access (argh) database if the user login and password are correct and then let him/her through.

The login code works perfectly with giving an error screen if both login and pass are wrong. So, I would like to separate things and give an error if the login is wrong and another one if the pass is wrong.

Well, it works perfectly with the pass, but for some weird reason, it doesn't give the error for the wrong login. Please, brothers, solve this mistery for me, since I'm stucked. Here's the code:

#!c:/perl/perl
use SysUtils;
use CGI qw/:standard/;

$login = param('login');
$pass = param('pass');

$dbh = SysUtils::Connect;

$sth = $dbh->prepare_cached("SELECT login, pass FROM usuarios WHERE lo
+gin='$login'");

$sth->execute;

while(@row = $sth->fetchrow_array())
{
    if ($login eq $row[0])
    {
        $l = "go";
        
        if ($pass eq $row[1])
        {
            $p = "go";
        }
        else
        {
            $sth->finish;
            $dbh->disconnect;
            SysUtils::Response2User("erro.htm","<span class=\"erro\">I
+nvalid pass.</span>","el","$login");
        }
    }
    else
    {
        $sth->finish;
        $dbh->disconnect;
        SysUtils::Response2User("erro.htm","<span class=\"erro\">Inval
+id login.</span>","el","$login");
    }


}

$sth->finish;

$dbh->disconnect;
[download]

So, isn't that stupid? Why one thing work and the other not? I've tried making this if statements in many different fashions, but none worked...

Please help me, fellows.

Thanks in advance,

Er Galvão Abbott
a.k.a. Lobo, DaWolf
Webdeveloper

Comment on Basic var verification problem - I'm ashame to have to ask this... Download Code

Replies are listed 'Best First'.
Re: Basic var verification problem - I'm ashame to have to ask this... by Fletch (Bishop) on Mar 25, 2002 at 02:39 UTC
Not an answer to your question, but in general (security wise) it can be a bad idea to give away what authentication information was incorrect. If someone's trying to brute force their way in and doesn't know account names if you tell them just the password was wrong then you've told they've got a valid account. Maybe not necessarily relevant in your particular application, but FYI.	[reply]
Re: Re: Basic var verification problem - I'm ashame to have to ask this... by DaWolf (Curate) on Mar 25, 2002 at 02:49 UTC
Pretty good point. But i still wanna know why it doesn't works... Er Galvão Abbott a.k.a. Lobo, DaWolf Webdeveloper	[reply]
Re: Basic var verification problem - I'm ashame to have to ask this... by mattriff (Chaplain) on Mar 25, 2002 at 03:04 UTC
My guess: if the login is incorrect, then no rows are returned. That means your attempt to call fetchrow_array returns undef, and thus the while loop is never executed at all. Another note: maybe this is a simplified version of your code, but you should probably check $login to make sure it doesn't contain any characters you don't want. Since it's used directly in the SQL query, a user could possibly use it to inject their own SQL query to be executed. DBI provides methods to help with that, with things such as the quote() method. - Matt Riffle	[reply]
Re: Re: Basic var verification problem - I'm ashame to have to ask this... by DaWolf (Curate) on Mar 25, 2002 at 03:45 UTC
Excellent point. Thanks. Er Galvão Abbott a.k.a. Lobo, DaWolf Webdeveloper	[reply]
Re: Basic var verification problem - I'm ashame to have to ask this... by DaWolf (Curate) on Mar 25, 2002 at 03:03 UTC
Thanks to neshura for the solution. The case was that since login was invalid, it doesn't returns any rows. Thanks a lot, neshura! :) Er Galvão Abbott a.k.a. Lobo, DaWolf Webdeveloper	[reply]