in reply to Accessing information pulled from mysql

if(!$username){
 relogin("Enter your username");
}elsif(!$password){
 relogin("Enter your password");
}

[download]

This says if I have a username go ahead don't look at the next condition

I really don't know what I was smoking

You still want

if (!$username or !$password) {
    relogin('Username/Password pair not valid');
}

[download]

It stops you from giving too much information to someone who is trying to break in (eg. Ok I have the username right now just work on the password)

another hint

my $sth = $dbh->prepare("SELECT * FROM info WHERE pword='$password'");
$sth->execute() or die "Couldnt do it: $!\n"

[download]

This will fail if the MD5'd password has a ' in it. Just imagine what that SQL will look like when the $password is expanded. You can use placeholders to get around this

my $sth = $dbh->prepare('SELECT * FROM info WHERE pword=?');
$sth->execute($password) or die "Couldnt do it: $!\n"

[download]

DBI will properly escape any characters that need to be escaped



grep
Just me, the boy and these two monks, no questions asked.

Replies are listed 'Best First'.
Accessing information pulled from mysql
by blaze (Friar) on Aug 17, 2002 at 19:42 UTC
    Thanks for the suggestions, grep, when i type a valid username, and leave the password blank, it is giving me the correct message "Enter your password" so it is looking at the next condition, i did make the change to the prepare statement though, but actually im pretty sure my problem is in how im assigning the return values to the hash %info because when i type in a valid username and an invalid password, it still gives me the 'invalid username' error even though its a good username, if i type in the correct username and correct password, i get the loan amount printed on the page, which is also what its suppose to do. Any other ideas?

    Thanks for the help
[reply]

      One other hint is: always specify your field names in your SELECT statments. It helps tracking down problems like this down (eg. you know for certain that the column name is spelled correctly in your code, or your statement would fail) also it prevents MySQL from pulling extra information you do not need

      Also please mark the line your error is coming from - I miscounted lines (my browser doesn't make it easy - where an editor does) and was looking at the wrong code :(. It just helps us help you :).



      grep
      Mynd you, mønk bites Kan be pretti nasti...
[reply]
        I finally got it, because i was pulling from mysql where pword=$password, if the password was wrong then $user was blank, therefore causing an invalid username error even if the username was correct...i could shoot myself :)

        Thanks for the input grep, normally i would have a more general error message but in this case since i was trying to specify where i was getting an error (and since this is just for my wife anyway) i needed to keep the username and password errors separated so i could know where to look, i did change my select statement to pull to specify my field names, thanks again
[reply]

In Section Seekers of Perl Wisdom