I'm building a little program that will allow my client to update her own "Tip of The Week" page, on an otherwise static site.
The "back-end" is a text file, and the script dumps the contents when the script is called pristinely. Passing parameters allows the page content to be updated.
The page is only meant to be accessed by a signed in user. I created a simple little log-in screen, but its not even close to providing real security.
This is to run in a shared unix hosting environment to which I have only ftp access.
I am thinking about coming up with some kind of temporary, date-based key which could be passed via cgi and generated at auth time. I know I'm just playing with matches, though.
Thanks for reading.
Here's what I wrote:
#!/usr/bin/perl # authtip2.pl - authenticate to change the tip of the week. use CGI; my $pwfile = "pw.dat"; my @begindate = split (/ /, scalar localtime); my ($dow,$mon,$day,$hh_mm_ss,$tz,$yyyy) = @begindate; my $query = CGI->new(); my $status = $query->param('status'); my $user = $query->param('user'); my $pass = $query->param('pass'); my $hidden = $query->param('hide'); my %auth = ($user => $pass); $myself = $query->url; if (defined $user) { &TEST($user); } &HEADER; if (defined $status) { print $query->h3( "$status $hidden" ); } &SIGN_IN_FORM; sub HEADER { my $status = shift; print $query->header( "text/html" ), $query->start_html(-title => "Tip Authenticator", -style=>{'src'=>'../mystyle.css'}), $query->h1( "Tip Changer Sign-In $hidden" ); } sub SIGN_IN_FORM { $myself = $query->url; print ' <form method="get" action=', $myself, ' name=""> <p> <font face="Elephant"> <input type="text" name="user"> user name</font></p> <p> <font face="Elephant"> <input type="password" name="pass"> password</font></p> <p> <font face="Elephant"> <input type="hidden" name="hidden" value="logged_in"> <input type="submit" name="Submit" value="Submit"> </font> </form> '; } sub TEST { open (PW, "pw.dat") or die "$! Couldn't open pw file"; while (<PW>) { chomp; my @record = split /:/; next unless $record[0] eq $user; $auth{$user} eq $record[1] ? return (&validuser) : return(print $query->redirect("$myself?status=Incorrect Passwo +rd")) ; } print $query->redirect("$myself?status=Bad User Name"); } sub validuser { print $query->redirect("http://localhost/tip2.pl?status=$key"); }
I don't need fort knox here, but I don't want to create a massive vulnerability. Is there a module I should be reading up on?
The other part script displays and updates the Tip of the Week.
#!/usr/local/bin/perl -w # Tip of The Week editor, generator use strict; use CGI; $| = 1; my $query = CGI->new(); my $selfurl = $query->self_url; open (TIP, "tip.txt") or die "$! Sorry, contact admin"; my @input = $query->param(); my $tipdata = $query->param('formdata'); my $publish = $tipdata; $tipdata = <TIP> unless (defined $tipdata); close (TIP); &header; &init_javascript; unless (@input) { &Display_page_for_enduser; } if ($publish) { open (TIP, ">tip.txt") or die; print TIP "$publish"; close (TIP); } print $query->h2($tipdata); &showtiptext($tipdata); &print_table; &publish($tipdata); sub header { print $query->header( "text/html" ), $query->start_html(-title => "Tip Editor", -style=>{'src'=>'smc_style.css'}) ,$query->h1("Tip Editor") } sub showtiptext { my $myself = shift; print $query->start_form(-method=>"post", -action=>"$selfurl" ); print $query->textarea(-name=>'formdata', -default=>"$myself", -rows=>5, -columns=>50), $query->br; print $query->submit(-name=>'submit', -value=>'submit'); print $query->endform; } sub print_table { print ' <table width="368" border="0" cellspacing="1" align="center" height="1 +74" cellpadding="4" background="/images/sunset3.jpg"> <tr valign="top"> <td width="372" height="119" class="text"> <p><img aLIGN=left src="/pics/robinSmile.jpg" width="93" height= +"92"> <b>Robin Says: '; print $query->p, $query->b("$tipdata"), $query->br; print '</b></td></tr></table> <div align="center"> <a href="javascript:closeWindow()" onMouseOut="MM_swapImgRestore()" onMouseOver="MM_swapImage("closeWindow","","slices/closeWindow_o.gi +f",1);" > <img name="closeWindow" src="../slices/closeWindow.gif" width="109" height="15" border="0"> </a> </div> '; } sub publish { my $myself = shift; print $query->start_form(-method=>"post", -action=>"$selfurl" ); print $query->hidden( -name => "filebait" , -value => "$myself"); print $query->submit(-name=>'publish', -value=>'publish'); print $query->endform; } sub Display_page_for_enduser { &print_table; die; }
Thanks for reading.
edited: Mon May 12 14:29:15 2003 by jeffa - readmore tags
In reply to Beginner CGI programming, authentication by mkahn
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |