Greg,
Thank you for your prompt reply. Here is the whole script for
accessing the database:
------------ logon.cgi ------------
#!/usr/bin/perl
use CGI;
use DBI;
my $co = new CGI;
my $dsn = 'DBI:mysql:bos_db:localhost';
my $db_user_name = 'sean';
my $db_password = '{MyPassword}';
my ($id, $password);
my $dbh = DBI->connect ($dsn, $db_user_name, $db_password);
my $tmp_passwd = $co->param('pwd');
my $passwd = strip_string($tmp_passwd);
# Create a variable to hold the result of our query and our query.
my $result = $dbh->prepare(qq{
SELECT * FROM users
WHERE uname=$co->param('uname')
});
$result->execute();
print
$co->header,
$co->start_html(-title=>'Benevolent Outreach Management System',
-author=>'Sean Carrick and PekinSOFT Systems',
-bgcolor=>'white', -text=>'black', -link=>'blue',
-vlink=>'cyan', -alink=>'red'),
"Username Provided: ", $co->param('uname'), $co->br,
"Password Provided: ", $passwd, $co-br,
$co->h3('Logon Successful'),
$co->h5('Your User Information:');
my ($uname, $pword, $fname, $lname, $street, $apt, $city, $state,
$zip, $cphone, $email, $org, $org_contact, $org_phone) = $result-
>fetchrow_array();
print
"<table width=\'100%\'>",
"<tr><td>Username:</td>",
"<td>$uname</td></tr>",
"<tr><td>Name:</td>",
"<td>$fname $lname</td></tr>",
"<tr><td>Address:</td>",
"<td>$street<br />$apt<br />",
"$city, $state $zip</td></tr>",
"<tr><td>Phone Number:</td>",
"<td>$cphone</td></tr>",
"<tr><td>Email Address:</td>",
"<td>$email</td></tr>",
"<tr><td>Organization</td>",
"<td>$org</td></tr>",
"<tr><td>Contact Person:</td>",
"<td>$org_contact</td></tr>",
"<tr><td>Phone Number:</td>",
"<td>$org_phone</td></tr>",
"</table>",
$co->hr,
"<p>Functionality will be coming in the very near future!</
p>",
$co->end_html;
$result->finish();
$dbh->disconnect();
sub strip_string
{
my $ret = "";
for (my $i = 0; $i < length($_[0]) - 9; $i++) {
$ret .= substr(length($_[0]) - $i, 1);
#print $ret;
}
return $ret;
}
------------ logon.cgi ------------
The only edit to the above script is the password for my database.
I know that the "/s/" construct does some cool things, but as I said
in my original post, The strings being passed from the password field
have an arbitrary 9 numbers appended to the end. For the context of
the logon form, I'm including the web page with the form here:
----------- index.html -----------
<html>
<head>
<title>Benevolent Outreach Management System</title>
<link rel='stylesheet' type='text/css' href='../styles/
ps-style.css' />
</head>
<body>
<div id='centercontent'>
<h2>Benevolent Outreach Management System</h2>
<p>The Benevolent Outreach Management System
is a website and web application that churches and other agencies may
access to track
the use of benevolent outreaches in the
Pekin, Illinois area. This site is designed to be as easy to use as
possible and
maintains a database of users and clients
of the benevolent outreaches that desire access to this system.</p>
<hr />
<p>To begin using the Benevolent Outreach
Management System, you may logon by clicking the "Logon"
link in the right-hand
pane. If you do not yet have a user
account, you may start the registration process (which takes 2-3
business days to complete)
by clicking on the "Register"
link in the right-hand pane.</p>
</div>
<div id='rightcontent'>
<p><a href='../cgi-bin/boms.cgi'>Register</a></
p>
<h4>Logon</4>
<form method='POST' action='../cgi-bin/
logon.cgi'>
Username:<br />
<input type='textfield' name='uname' /
><br />
Password:<br />
<input type='password' name='pwd'
maxlength='11'value='' /><br />
<input type='submit' name='submit'
value='Logon' />
<input type='reset' name='reset'
value='Reset' />
</form>
</div>
</body>
</html>
----------- index.html -----------
I appreciate any insights that you may have for me.
Cheers,
Sean C.
PekinSOFT Systems
On Dec 9, 8:00 pm, [EMAIL PROTECTED] (Greg Jetter) wrote:
> On Tuesday 09 December 2008 8:47:06 am [EMAIL PROTECTED] wrote:
>
>
>
> > Hey All,
>
> > I'm new to doing CGI with Perl and so am a little lost here.
>
> > I'm working on a web-accessible database system for a (rather large)
> > group of area churches and went through the rigmarole of assessing
> > various programming and scripting languages to see which is the best
> > tool for the job and I landed on Perl::CGI.
>
> > I started working on this project and have created scripts that
> > generate a registration page that emails the registration information
> > to me for processing. This is intentional, by the way, as I don't
> > want it to be a self-register site for certain security reasons.
> > These scripts work fine, so I started working on a logon form to allow
> > users who are already registered to logon. So, on my main page, I
> > have a right-hand pane that looks similar to this (in the HTML code):
>
> > <div id='rightcontent'>
> > <p><a href='http://myserver.domain.org/cgi-bin/
> > boms.cgi'>Register</a></p>
> > <br />
> > <h3>Logon</h3>
> > <form method='POST' action='http://myserver.domain.org/cgi-bin/
> > logon.cgi'>
> > Username:<br />
> > <input type='textfield' name='uname' /><br />
> > Password:<br />
> > <input type='password' name='pwd' /><br />
> > <input type='submit' name='logon' value='Logon' />
> > </form>
> > </div>
> > ...etc...
>
> > This form displays pretty well, though I need to work on the width of
> > the fields, but that's not my issue. My issue is when I fill in the
> > data in the fields and submit it to my "logon.cgi" script, the
> > password value gets an arbitrary string of numbers attached to the end
> > and I am not having any luck figuring out where those numbers come
> > from, nor how to get rid of them back to the clear text of the
> > password. For example:
>
> > I enter the string 'hiyall2008' in the password field and get the
> > following values in my logon script...
> > Click 1: hiyall2008153639492
> > Click 2: hiyall2008135813700
> > Click 3: hiyall2008152312388
> > et cetera...
>
> > As you can see, there is a different arbitrary string of numbers at
> > the end of the clear text of the password entered. If it was the same
> > each time the password was entered, I would just make it a part of the
> > password and encrypt the whole thing into my database. However, each
> > time it is different. It appears to be only 9 numbers each time, so I
> > decided to try and strip those 9 numbers off the password with the
> > 'substr()' method. So, I created the following sub procedure to do
> > that:
>
> > sub strip_string
> > {
> > my $ret = "";
> > for (my $i = 0; $i < length($_[0]) - 9; $i++) {
> > $ret .= substr(length($_[0]) - $i, 1);
> > #print $ret;
> > }
>
> > return $ret;
> > }
>
> > Now, when I use this method to "strip" the arbitrary numbers from the
> > end of the entered password, I get the following:
>
> > I enter the same password as before, "hiyall2008", and get the
> > following:
> > Click 1: 0134588996
> > Click 2: 0157203012
> > Click 3: 0138639940
>
> > Now, not only do I have arbitrary strings of numbers, I have 10
> > numbers instead of 9! I know that it is something that I'm not doing
> > correctly, but I cannot figure out what I'm doing wrong.
>
> > I've read through my Perl books, searched Google with numerous
> > different queries and read through a bunch of different references
> > online. However, none of them mention this issue with the password
> > field in a web form when accessed from Perl::CGI. I am at a complete
> > loss as to where to go from here. According to my "Perl Core
> > Language, Little Black Book", if I pass a negative number to the substr
> > () function's LEN parameter, substr() will remove that many characters
> > from the end of the string. Every other reference to the substr()
> > function, of course, says the same thing. However, when I've
> > attempted that, I only got back the characters that I was wanting
> > omitted. Frustration just keeps building!
>
> > Anyway, any help that y'all can give is greatly appreciated.
> > Especially, please, links to better examples of tweaking a string with
> > the substr() function. The ones in my "Little Black Book" are pretty
> > lame, and I was unable to find much better online. Again, any help is
> > greatly appreciated. I look forward to your responses.
>
> > Cheers,
>
> > Sean C.
> > PekinSOFT Systems
>
> you need to post the whole script so we can see the context of the problem.
> like how your retrieving the passed params and so forth.
>
> you could also try using regexp "s" operator to clean up the passed string.
> you could also try and isolate the problem by using plan text insted of an
> input field of password and see if the string is appended with the same
> sort of junk numbers.
>
> good luck
>
> Greg
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
http://learn.perl.org/
