Param not working correctly

Midnite has asked for the wisdom of the Perl Monks concerning the following question:

Hi all, I am in need of help for a small script I wrote. It is a simple password script. The user inputs a password, it is submitted, and then checked. If it is correct, a redirect, if not error message occurs. Unfortunately, it is not working like it should be. I am using 'Param', and when the password is entered and submitted, nothing gets passed. I have others that work, but none are for passwords. Here is my code

if (param()) {
    my $pass_bob = param("pass_bob");
    # verify correct password
    if ($bob_pass eq "password") {
       use CGI; print redirect("http://www.gailborden.info/services/bo
+b/bobqa.htm");
    } else {
# print error page #
}

# If no password, get one from user
} else {

my $query = new CGI;

print $query->header( "text/html" );
print <<END_PASS;

<TITLE>B.O.B. Question Submission</TITLE>
<BODY BGCOLOR=\"#FFFFFF\"><font face=\"bazooka\" size=\"3\">
<center><h1>B.O.B. Q and A w/Suggestions Submission Form</h1>
<hr>
<form>
<p>Type Password
<p>
<input name=pass_bob size=20 type=password>
<p><input type=submit value=Submit name=S1>
<hr>
</form>
</font></body></html>
END_PASS
}
[download]

Joseph A. Ruffino
Automated Systems Assistant
Gail Borden Public Library District
270 N. Grove Ave
Elgin, Il, 60120
847-742-2411 x5986

Comment on Param not working correctly Download Code

Replies are listed 'Best First'.
Re: Param not working correctly by zdog (Priest) on Sep 16, 2004 at 18:46 UTC
First you're using `$pass_bob` and then `$bob_pass`. Make sure you're using strict to avoid that. It forces you to declare your variables, so in case you misspell them accidentally, it'll yell at you. Update: Also, I just noticed: You need to make sure that you're importing the `param()` method from the CGI module. Generally, this is done as follows: `use CGI qw(:standard);` Though I suppose you already do that somehow since Perl doesn't complain about the `param()` call. You probably should rethink your design an not have so many `use CGI` statements either (one should suffice). Both `param()` and `redirect()` are methods of the CGI object (`$cgi = new CGI`) so they can be called: `my $cgi = new CGI; $cgi->param( $param_name ); $cgi->redirect( $url );` [download] Zenon Zabinski \| zdog \| zdog@perlmonk.org	[reply] [d/l] [select]
Re: Param not working correctly by waswas-fng (Curate) on Sep 16, 2004 at 19:11 UTC
A couple of things, Use Strict. Your cgi does not actually protect anything, users can bypass the auth. The site that you redirect to needs to be fixed. you generate a filename based on the input of the date, a savvy user can push their own date param and write files at the location of their choice (see example output of ///../ in the date field below, although more complex paths can be entered ). Also you need to change the error output of your web server to hide details such as this: `Software error: Cannot Open File /usr/local/httpd/virtuals/elghome/ips/www.elgin.lib.i +l.us/bob/.txt for writing: Permission denied at /usr/local/httpd/virt +uals/elghome/www.elginarea.org/cgi-bin/bobweb.pl line 116. For help, please send mail to the webmaster (elghome@nsn1.northstarnet +.org), giving this error message and the time and date of the error.` [download] -Waswas	[reply] [d/l]