There are some other problems with your code:

#!/usr/bin/perl
    local ($buffer, @pairs, $pair, $name, $value, %FORM);
    # Read in text
    $ENV{'REQUEST_METHOD'} =~ tr/a-z/A-Z/;
    if ($ENV{'REQUEST_METHOD'} eq "POST")
    {
        read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
    }else {
        $buffer = $ENV{'QUERY_STRING'};
    }
    # Split information into name/value pairs
    @pairs = split(/&/, $buffer);
    foreach $pair (@pairs)
    {
        ($name, $value) = split(/=/, $pair);
        $value =~ tr/+/ /;
        $value =~ s/%(..)/pack("C", hex($1))/eg;
        $FORM{$name} = $value;
    }
   my $old_pass = $FORM{oldpass};
   my $new_pass = $FORM{newpass1};
   my $new_pass2 = $FORM{newpass2};

print "Content-type:text/html\r\n\r\n";
use CGI;

[download]

(1) Get rid of all that manual CGI handling. It looks like copied from some Perl 4 script, it can't handle multipart forms, and it is completely redundant. You already loaded CGI, so use it:

use CGI qw( param header );
my $old_pass=param('oldpass');
my $new_pass=param('newpass1');
my $new_pass=param('newpass2');
print header({-type=>'text/html'});

[download]

(2) Choose one indent style, and use it consistently. It costs far too much time to follow the code with this messy indent.

(3) Unless you need to pass the password to some other system, encrypting it is dangerously wrong. Especially if your code contains the encryption key in plain text. The safe approach to handling passwords is to salt (add some random value) and hash them using a strong hash algorithm. Forget MD4 and MD5, they are nearly broken. Use bcrypt and be prepared to change the hashing algorithm in the future. To verify a password, salt it with the stored salt value and hash it, then compare the stored hash value with the freshly calculated hash value.

(4) You allow to change the password using GET requests. This will make both the old and the new password appear in clear text in the web server logs, and in the browser history. Use only POST requests for checking and changing passwords. They can be logged, too, but they aren't by default.

(5) RFC 2616 states that "the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval", i.e. you should actively prevent changing the password using something else than a POST request.

Alexander

--
Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

In reply to Re: Getting issue with encrypt / decrypt by afoken
in thread Getting issue with encrypt / decrypt by merafiq

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.