CGI + password problems

Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hi monks, I was wondering if someone can help. I am tring to write a script that allows users to log on to my database. However, if a wrong username or password is entered the 'post' method still directs users to the database. I tried to write an if statement as below but this had no effect. Can anyone suggest a solution?? cheers.


if ((!($username eq 'sugar'))  && (!($password eq 'spice')))

print "you have entered a wrong password!";

}
[download]

the code

#! /usr/bin/perl
use strict;
use DBI;
use CGI qw(:standard);


my($cgi);

$cgi = new CGI;
use CGI::Carp qw(fatalsToBrowser);


my ($title) = "DB: Log in";
print $cgi->header ();
print $cgi->start_html (-title=>"$title",  -BGCOLOR=>"#ccddff",
          -style=>{'src' =>'style1.css'});





print "<table width=600 bgcolor=ffcc66><tr><td><b><i> DB: Log in</i></
+td></tr></table><p>";



my $username;
my $password;




print "<FORM METHOD=\"post\" ACTION=\"http://hostname/~user/cgi-bin/da
+tabase/homepage.cgi\">";

print "<TABLE><TR VALIGN=\"baseline\"><TD VALIGN=\"baseline\"><h3>Ente
+r user name</h3></TD><TD><INPUT TYPE=\"TEXT\" NAME=\"username\" SIZE=
+\"10\"></TD></TR><TR VALIGN=\"baseline\"><TD VALIGN=\"baseline\"><h3>
+Enter password</h3></TD> <TD><INPUT TYPE=\"password\" NAME=\"password
+\" SIZE=\"10\"></TD></TR><TD><INPUT TYPE=\"SUBMIT\" value=\"Log in\">
+</TABLE></FORM>";



$username = param('username');
$password = param('password');





print $cgi->end_html ();
[download]

Comment on CGI + password problems Select or Download Code

Replies are listed 'Best First'.
Re: CGI + password problems by jasonk (Parson) on Feb 19, 2003 at 13:55 UTC
`if ((!($username eq 'sugar')) && (!($password eq 'spice'))) print "you have entered a wrong password!"; }` [download] Your logic here is confused (and hard to read), you will get the error message only if the username and password are both wrong, if either one is right the script will continue. `# I would write that check like this: unless (($username eq 'sugar') && ($password eq 'spice')) # or, if you don't like unless if(($username ne 'sugar') \|\| ($password ne 'spice'))` [download] Also, assuming the assignments to $username and $password near the bottom of your script are where you intend to add this code, you need to rethink your design, it isn't going to work the way you want it to, as the form printing and submission checking are going to be two distinct stages in CGI.	[reply] [d/l] [select]
Re: CGI + password problems by rdfield (Priest) on Feb 19, 2003 at 14:00 UTC
So, if I understand correctly, when you insert the code that displays the error message, it displays the error message. You might want to think about the logic of your code: if the error message is displayed you might want your code to display a different page, or perhaps redirect the user back to the original login page. If you are using mod_perl you could look at using the Apache::Auth* modules to help you, otherwise you could look into htaccess files. (If you're not using Apache, perhaps you should mention it, and some other monks may have pertinent advice). rdfield	[reply]
Re: CGI + password problems by OM_Zen (Scribe) on Feb 19, 2003 at 15:24 UTC
Hi , The passwd and usernm should be different from 'spice' and 'sugar' respectively for the error to show ( the both the usernm and passwd should change together from their values then only it shall error) in accordance to the post `if (($usernm ne 'sugar') \|\| ($passwd ne 'spice')){ print " the error of authorization \n"; #....... }` [download] this shall be like the usernm should be sugar and the passwd should be spice, if either one changes the error is shown	[reply] [d/l]
Re: CGI + password problems by Coruscate (Sexton) on Feb 20, 2003 at 06:58 UTC
Your original question has been answered, but I'd just like to point out a better way of printing out text to the user. You have the following snippet of code: `print "<FORM METHOD=\"post\" ACTION=\"http://hostname/~user/cgi-bin/da +tabase/homepage.cgi\">"; print "<TABLE><TR VALIGN=\"baseline\"><TD VALIGN=\"baseline\"><h3>Ente +r user name</h3></TD><TD><INPU +T TYPE=\"TEXT\" NAME=\"username\" SIZE=\"10\"></TD></TR><TR VALIGN=\" +baseline\"><TD VALIGN=\"baseli +ne\"><h3>Enter password</h3></TD> <TD><INPUT TYPE=\"password\" NAME=\ +"password\" SIZE=\"10\"></TD>< +/TR><TD><INPUT TYPE=\"SUBMIT\" value=\"Log in\"></TABLE></FORM>";` [download] That hurts the eyes a lot and is difficult to read and would be a nightmare to maintain. You might want to look up on how to use qq() to print out text to the user in a way in which you wouldn't have to backslash all the double quotes. Also, I'm sorry to say it, but the html itself is horrendous. You use H3 tags within a table cell just to enlarge the text a bit. There is in existance a th tag that will boldface the text within a cell for you. Sorry if I make this sound harsh, but I think you need to spend some major time learning html a little better. BTW, the valign='baseline' attributes won't do much for you. Uch. Myself, I would rewrite that like this: `print start_form({ method => 'post', action => 'http://hostname/.../homepage.cgi' }), table(), Tr( th( {align=>'left'}, 'Enter Username:' ), td( textfield('username') ) ), Tr( th( {align=>'left'}, 'Enter Password:' ), td( password_field('password') ) ), Tr( th( {colspan=>2}, submit('Login') ) ) ), end_form();` [download] Update: Cool! I got node_id 237000. Nice round number :) If the above content is missing any vital points or you feel that any of the information is misleading, incorrect or irrelevant, please feel free to downvote the post. At the same time, reply to this node or /msg me to tell me what is wrong with the post, so that I may update the node to the best of my ability. If you do not inform me as to why the post deserved a downvote, your vote does not have any significance and will be disregarded.	[reply] [d/l] [select]