in reply to Re: DBI & MySQL Login Test
in thread DBI & MySQL Login Test

Hello Sewi,
Your code example of preventing SQL injection is cool.

On my website, I want to allow users to login, but prevent any hackers from getting my subscribers usernames and passwords.
I don't have a need to print out the username and password.
They must remain hidden out of sight.

As I understand it, in your SQL example you're letting SQL validate for user input. Is that correct?

Can you elaborate on the error checking? I would like to check if a user enters the form with incorrect data.
How do you print an error message?

Replies are listed 'Best First'.
Re^3: DBI & MySQL Login Test
by Sewi (Friar) on Aug 26, 2009 at 12:37 UTC 
    if ($uname eq '') {
 print "Please enter a username";
} elsif ($pword eq '') {
 print "Please enter a password";
} elsif ($sth->selectrow_array('SELECT COUNT(*) FROM '.$Tablename.
'WHERE username = 0x'.unpack('H*',$uname).
' AND password = 0x'.unpack('H*',$pword))) {
 # Successful login
 print "You're not logged in";
} else {
 print "Username or password wrong";
}

    [download]
    This code doesn't give you any information if the password is wrong or the username doesn't exist, it only says "ok" or "not ok", but this is what I prefer for login forms.
    If you have different error messages for "user does not exist" and "password wrong", I could start guessing a username (as long as I get the "user does not exist" message). Then, once a valid username is known, guess the password for this user. Using one combined error message says: Maybe you got a non-existing user, maybe a wrong password, doesn't matter.

    (You need to replace the "print" lines with whatever_generates_user_output_on_your_system.)

[reply]
[d/l]

In Section Seekers of Perl Wisdom