Hello again.
I have a couple of questions about how you are testing this, because what you state and how you claim your code is running don't necessarily make sense.
First, is your password field inside your HTML file named "pass" or "password"? You attempt to get both of them at two different points toward the top of your code shown; you get the "password" param in the 'collect data from form' section, and then you get the "pass" param in the 'Cookie junk' section. You should choose one, stick with it, and only get it from the CGI once. Unless, of course, you have both. In which case I'm really confused.
Second, when you say "And if the HTML form is submitted emtpy, it prints "test" instead of erroring out and doesn't print the login form.", have you already run this at least once, and therefore you have the "filemanager" cookie set on your browser? If that is the case, then when you test for the existence of $tasty, your code calls &processing; and then quits. The "password checking" and "cookie setting" parts of your code appear to never get run once the "filemanager" cookie is set the first time.
Now, I have a couple of tips that I spotted right off the bat.
- You're not taint checking. Use the -T flag on the shebang line.
- Don't store your users database file inside the directory structure of your webserver. Put it somewhere that can be seen from your script, but where it can never possibly be served up by the web server. You never know how it might get served up.
- See Ovid's CGI Course Lesson Three and search for "Security by Obscurity" to learn why you shouldn't have the use CGI::Carp qw(fatalsToBrowser); line in your script...
- In your "Password checking" section, you have a closing </form> tag, but no opening <form> tag. Also, your closing form tag should be after the </table> tag, just as the opening <form> tag should be before the opening <table> tag.
- Also in the "Password checking" section, you again retrieve the username and password. The same with the split line that gets the specific user information. I don't see why this would be necessary, as the variables you're using are already defined.
- It's a bad idea to give different messages for "user not found" vs. "bad password." You're giving the user too much information. Doing so means that the user can keep banging on your script gathering which usernames are valid, thereby significantly reducing further work in trying to break in (I'm assuming a determined cracker here) via any form of concerted password attack. Provide one and only one error message for both cases.
Also, I provided you mostly-fully-working code yesterday, and pretty much noted the pieces that were shown to be called but missing from my post. bmann also provided a link to Ovid's CGI course. I highly recommend that as well. I learned a bunch of stuff on how to handle things in CGI from that course.
I hope that the above helps, or at least provides more ideas for you to work with. If you have questions about my node from yesterday, feel free to go back and reply to it with your questions (same goes for this node.) I'll be happy to answer.
Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
Read Where should I post X? if you're not absolutely sure you're posting in the right place.
Please read these before you post! —
Posts may use any of the Perl Monks Approved HTML tags:
- a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
| |
For: |
|
Use: |
| & | | & |
| < | | < |
| > | | > |
| [ | | [ |
| ] | | ] |
Link using PerlMonks shortcuts! What shortcuts can I use for linking?
See Writeup Formatting Tips and other pages linked from there for more info.