You still are missing the check to see if the username even exists...I would
rewrite the foreach loop this way:
my $found = 0;
foreach my $i (@indata) {
chomp($i);
my ($username, $password) = split(/\ | /,$i);
if( $username eq $in{username} &&
$password ne $in{password} )
{
# issue error
}
elsif( $username eq $in{username} ) {
$found = 1;
}
}
if( !$found ){
#issue error...invalid username
}
----- Original Message -----
From: "maureen" <[EMAIL PROTECTED]>
To: "Tanton Gibbs" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, January 23, 2002 8:04 PM
Subject: Re: Text file separators
> Thanks for your suggestion. I tried this:
>
> if( $username eq $in{username} &&
> > $password ne $in{password} ) {
> > # issue error here
> > }
> The test for username and password is now positive, every time text is
> entered into the username and password fields, even when text entered
> does not match any of the usernames or passwords in the file pwdata.txt.
>
> I'd appreciate any suggestions. Thanks again for your help, Maureen
>
> Here is the entire revised code:
>
> #!/usr/local/bin/perl
> require "cgi-lib.pl";
> #process incoming form data
> &ReadParse;
> #open the database in read-only mode
> open(FILE,"pwdata.txt") || die "Can't find database\n";
> #store database contents in an array and close file
> @indata = <FILE>;
> close(FILE);
> #remove hard return character from each record
> chomp($i);
> foreach $i (@indata)
> {
> #split fields on pipe character
> #assign a variable name to each of the fields
> ($username, $password) = split(/\ | /,$i);
> if( $username eq $in{username} &&
> $password ne $in{password} )
> {
> #invalid password--create error message and exit
> print &PrintHeader;
> print <<"PrintTag";
> <HTML>
> <HEAD>
> <TITLE>Error!</TITLE>
> </HEAD>
> <BODY BGCOLOR="white" TEXT="black">
> <H1>Authorization Required</H1>
> <BLOCKQUOTE>
> You do not have authorization to enter this website. Please click <a
> href="http://www.worldwidewebstrategies.com";>here</a> to return to the
> WWWS web site.
> </BLOCKQUOTE>
> <BLOCKQUOTE>
> If you feel you have received this message in error, please return to
> the login screen and try to enter your username and password again.
> </BLOCKQUOTE>
> </BODY>
> </HTML>
> PrintTag
> exit(0);
> }
> #check for blank form fields
> if ($in{'username'}eq"" || $in{'password'}eq"")
> { #invalid password--create error message and exit
> print &PrintHeader;
> print <<"PrintTag";
> <HTML>
> <HEAD>
> <TITLE>Error!</TITLE>
> </HEAD>
> <BODY BGCOLOR="white" TEXT="black">
> <H1>Authorization Required</H1>
> <BLOCKQUOTE>
> You do not have authorization to enter this website. Please click <a
> href="http://www.worldwidewebstrategies.com";>here</a>
> to return to the WWWS web site.
> </BLOCKQUOTE>
> <BLOCKQUOTE>
> If you feel you have received this message in error, please return to
> the
> login screen and try to enter your username and password again.
> </BLOCKQUOTE>
> </BODY>
> </HTML>
> PrintTag
> exit(0);
> }
> #everything is okay. Create lock file.
> open(LOCK_FILE, ">lock.fil");
> #open, append record, and close database
> open(FILE,">>pwdata.txt") || die "Can't find database\n";
> print FILE
> "$in{'username'}|$in{'password'}\n";
> close(FILE);
> #close lock file
> close(LOCK_FILE);
> #delete lock file
> unlink("lock.fil");
> print "Location:http://www.worldwidewebstrategies.com\n\n";;
> };
>
> Tanton Gibbs wrote:
> >
> > That's a very good point! You want something more like
> >
> > if( $username eq $in{username} &&
> > $password ne $in{password} ) {
> > # issue error here
> > }
> >
> > otherwise, it will issue an error for the first password that doesn't
> > match...even if it is the users!
> > ----- Original Message -----
> > From: "Mark Anderson" <[EMAIL PROTECTED]>
> > To: "maureen" <[EMAIL PROTECTED]>
> > Cc: <[EMAIL PROTECTED]>
> > Sent: Wednesday, January 23, 2002 5:55 PM
> > Subject: RE: Text file separators
> >
> > > I haven't worked with cgi-lib.pl, so I'm confused. Is the password
from
> > the
> > > web page being delivered as part of a hash called in? If so, then
someone
> > > else will need to help you with the if ($password ne $in{password}).
> > >
> > > The other thing that I notice is that you are looking through the
entire
> > > pwdata.txt file comparing the password that was passed in against
every
> > > password in the file. It seems to me like you would want to compare
the
> > > username entered on the web page to the username on the line in the
file,
> > > and if they match, then compare the passwords, with some other case if
> > none
> > > of the usernames match.
> > >
> > > On further review, what you are doing is comparing the password
entered
> > > against the password on the first line of pwdata.txt, and if it
doesn't
> > > match, then you exit the script.
> > >
> > > I apologize for not giving more detailed help and debugging your code
> > > further, but hopefully my comments help.
> > >
> > > /\/\ark
> > >
> > > -----Original Message-----
> > > From: maureen [mailto:[EMAIL PROTECTED]]
> > > Sent: Wednesday, January 23, 2002 2:09 PM
> > > Cc: [EMAIL PROTECTED]
> > > Subject: Re: Text file separators
> > >
> > >
> > > Thanks for the detailed information! I'm a beginner and appreciate
> > > everyone's help.
> > >
> > > I tried a number of the suggestions in this and other responses to my
> > > post. This test:
> > > if ($password ne $in{password}) is still not working. I'd appreciate
> > > any suggestions.Here is the code:
> > >
> > > open(FILE,"pwdata.txt") || die "Can't find database\n";
> > > #store database contents in an array and close file
> > > @indata = <FILE>;
> > > close(FILE);
> > > #remove hard return character from each record
> > > chomp($i);
> > > foreach $i (@indata)
> > > {
> > > #split fields on pipe character
> > > #assign a variable name to each of the fields
> > > ($username, $password) = split(/\ | /,$i);
> > > if ($password ne $in{password})
> > >
> > > Here is my complete revised code:
> > >
> > > #!/usr/local/bin/perl
> > > require "cgi-lib.pl";
> > > #process incoming form data
> > > &ReadParse;
> > > #open the database in read-only mode
> > > open(FILE,"pwdata.txt") || die "Can't find database\n";
> > > #store database contents in an array and close file
> > > @indata = <FILE>;
> > > close(FILE);
> > > #remove hard return character from each record
> > > chomp($i);
> > > foreach $i (@indata)
> > > {
> > > #split fields on pipe character
> > > #assign a variable name to each of the fields
> > > ($username, $password) = split(/\ | /,$i);
> > > if ($password ne $in{password})
> > > {
> > > #invalid password--create error message and exit
> > > print &PrintHeader;
> > > print <<"PrintTag";
> > > <HTML>
> > > <HEAD>
> > > <TITLE>Error!</TITLE>
> > > </HEAD>
> > > <BODY BGCOLOR="white" TEXT="black">
> > > <H1>Authorization Required</H1>
> > > <BLOCKQUOTE>
> > > You do not have authorization to enter this website. Please click <a
> > > href="http://www.worldwidewebstrategies.com";>here</a> to return to the
> > > WWWS web site.
> > > </BLOCKQUOTE>
> > > <BLOCKQUOTE>
> > > If you feel you have received this message in error, please return to
> > > the login screen and try to enter your username and password again.
> > > </BLOCKQUOTE>
> > > </BODY>
> > > </HTML>
> > > PrintTag
> > > exit(0);
> > > }
> > > #check for blank form fields
> > > if ($in{'username'}eq"" || $in{'password'}eq"")
> > > { #invalid password--create error message and exit
> > > print &PrintHeader;
> > > print <<"PrintTag";
> > > <HTML>
> > > <HEAD>
> > > <TITLE>Error!</TITLE>
> > > </HEAD>
> > > <BODY BGCOLOR="white" TEXT="black">
> > > <H1>Authorization Required</H1>
> > > <BLOCKQUOTE>
> > > You do not have authorization to enter this website. Please click <a
> > > href="http://www.worldwidewebstrategies.com";>here</a>
> > > to return to the WWWS web site.
> > > </BLOCKQUOTE>
> > > <BLOCKQUOTE>
> > > If you feel you have received this message in error, please return to
> > > the
> > > login screen and try to enter your username and password again.
> > > </BLOCKQUOTE>
> > > </BODY>
> > > </HTML>
> > > PrintTag
> > > exit(0);
> > > }
> > > #everything is okay. Create lock file.
> > > open(LOCK_FILE, ">lock.fil");
> > > #open, append record, and close database
> > > open(FILE,">>pwdata.txt") || die "Can't find database\n";
> > > print FILE
> > > "$in{'username'}|$in{'password'}\n";
> > > close(FILE);
> > > #close lock file
> > > close(LOCK_FILE);
> > > #delete lock file
> > > unlink("lock.fil");
> > > print "Location:http://www.worldwidewebstrategies.com\n\n";;
> > > };
> > > Peter Scott wrote:
> > > >
> > > > At 08:13 PM 1/22/02 -0500, maureen wrote:
> > > >
> > > > >Thanks to everyone in the group who has helped me recently. I
> > appreciate
> > > > >all of your suggestions.
> > > > >
> > > > >I am working with a text file that contains pipe separators, like
this:
> > > > >
> > > > >username | password
> > > > >
> > > > >I am trying to load the text file into an array and create two
> > variables
> > > > >$username and $password, without the separator. I'd appreciate any
> > > > >suggestions on what I am doing wrong here.
> > > > >
> > > > >open(FILE,"pwdata.txt") || die "Can't find database\n";
> > > > >@indata = <FILE>;
> > > > >close(FILE);
> > > > >foreach $i (@indata)
> > > > >{
> > > > >#remove hard return character from each record
> > > > >chomp($i);
> > > > >($username,$password) = split(/\|/,$i);
> > > >
> > > > You're not doing anything wrong there:
> > > >
> > > > $ cat > pwdata.txt
> > > > username|password
> > > > $ perl -e 'open FILE,"pwdata.txt";@a=<FILE>;for $i (@a) { chomp
> > > > $i; ($u, $p) = split/\|/,$i ; print "Username = $u, Password =
$p\n"}'
> > > > ^D
> > > > Username = username, Password = password
> > > >
> > > > Your following test (below) though is wrong:
> > > >
> > > > if ($password = $i{password})
> > > >
> > > > I have no idea what that's trying to do. I don't see a hash %i in
your
> > > > code. And you're doing an assignment in a conditional instead of a
> > > > test. I think you may have meant
> > > >
> > > > if ($password ne $in{password})
> > > >
> > > > However, I have several problems with your approach to an
application
> > that
> > > > appears to be authenticating people for a web application:
> > > >
> > > > 1. Passwords stored in plain text. They should be stored as a
one-way
> > > > encryption, with, e.g., Digest::MD5.
> > > > 2. Password file accessed without locking. It might be being
updated at
> > > > the same time.
> > > > 3. Using cgi-lib.pl instead of CGI.pm.
> > > > 4. Not using strict.
> > > > 5. Not using -w during development.
> > > > 6. Successful authentication simply redirects user to another page,
> > whose
> > > > URL could be discovered by someone who might just go straight there.
If
> > > > it's worth protecting then that page should be protected also.
Using
> > > > HTTP-Basic authentication may be a better approach.
> > > > 7. Duplication of error message rather than reference the same
> > > > one. Although it looks as though they ought to be two different
error
> > > > messages anyway.
> > > >
> > > > >Thanks! Maureen
> > > > >
> > > > >
> > > > >The entire code follows:
> > > > >
> > > > >#!/usr/local/bin/perl
> > > > >require "cgi-lib.pl";
> > > > >#process incoming form data
> > > > >&ReadParse;
> > > > >#open the database in read-only mode
> > > > >open(FILE,"pwdata.txt") || die "Can't find database\n";
> > > > >#store database contents in an array and close file
> > > > >@indata = <FILE>;
> > > > >close(FILE);
> > > > >foreach $i (@indata)
> > > > >{
> > > > >#remove hard return character from each record
> > > > >chomp($i);
> > > > >#split fields on pipe character
> > > > >#assign a variable name to each of the fields
> > > > >($username,$password) = split(/\|/,$i);
> > > > >if ($password = $i{password})
> > > > >{
> > > > >#invalid password--create error message and exit
> > > > >print &PrintHeader;
> > > > >print <<"PrintTag";
> > > > >
> > > > >
> > > > >Authorization Required
> > > > >
> > > > >
> > > > >You do not have authorization to enter this website. Please click
> > > > ><http://www.worldwidewebstrategies.com>here to return to the WWWS
web
> > > site.
> > > > >
> > > > >If you feel you have received this message in error, please return
to
> > the
> > > > >login screen and try to enter your username and password again.
> > > > >
> > > > >
> > > > >PrintTag
> > > > >exit(0);
> > > > >}
> > > > >#check for blank form fields
> > > > >if ($in{'username'}eq"" || $in{'password'}eq"")
> > > > >{ #invalid password--create error message and exit
> > > > >print &PrintHeader;
> > > > >print <<"PrintTag";
> > > > >
> > > > >
> > > > >Authorization Required
> > > > >
> > > > >
> > > > >You do not have authorization to enter this website. Please click
> > > > ><http://www.worldwidewebstrategies.com>here to return to the WWWS
web
> > > site.
> > > > >
> > > > >If you feel you have received this message in error, please return
to
> > the
> > > > >login screen and try to enter your username and password again.
> > > > >
> > > > >
> > > > >PrintTag
> > > > >exit(0);
> > > > >}
> > > > >print "Location:http://www.worldwidewebstrategies.com\n\n";;
> > > > >};
> > > > >Thanks
> > > >
> > > > --
> > > > Peter Scott
> > > > Pacific Systems Design Technologies
> > > > http://www.perldebugged.com
> > >
> > > --
> > > Be the change you want to see in the World - Mahatma Ghandi
> > >
> > > --
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail: [EMAIL PROTECTED]
> > >
> > >
> > >
> > > --
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail: [EMAIL PROTECTED]
> > >
> >
> > --
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
>
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
