Hi Phweda,

I would suggest not calling an external program at all. Digest::MD5 has been in the Perl core since v5.8.

use Digest::MD5 qw/md5_hex/;
print md5_hex("123456"), "\n";
__END__
e10adc3949ba59abbe56e057f20f883e

[download]

(Update: Corion was a bit quicker than me ;-) )

Unfortunately, your code appears to have multiple security holes. As unpleasant as it might be to hear, such holes are nowadays considered quite serious. If this CGI script is public-facing, or anyone untrusted is using it, I have to recommend against using this script.

  1. You're calling an external command with apparently unchecked user input ("open( CLIMD, "/usr/bin/md5sum --string=\"$newhashpassword\" |");"). I wrote about that, and ways to avoid it, here (although in this case the solution is even simpler, not call an external program at all).
  2. SQL injection (e.g. "$dbh->prepare("SELECT ... WHERE ... email = '$FORM{EMAIL}'");"). You can read about that here; use DBI's placeholder feature instead.
  3. Your code seems to be vulnerable to a Cross-site scripting (XSS) attack, see also this. (Update: You could use CGI's escapeHTML() function.)

I am also wondering about what sub ParseForm looks like. It's possible that some verification of the input might be done there that reduces the risk of the above, but until that is clear, it's better to err on the side of caution.

In regards to your question here: F447B20A7FCBF53A5D5BE013EA0B15AF is the MD5 sum of the string "123456\n".

Hope this helps,
-- Hauke D

In reply to Re: cgi / Md5sum error by haukex
in thread cgi / Md5sum error by Phweda

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.