I am also working on a project that requires passing a password via the web,
and obviously did not want to do so URL encoded with GET. My suggestions:
A. Use CGI.pm's param() method to get your
form data. I second Carl's question as to why
you would manually parse the form data when
you can get all of the form data into a hash
by simply doing
use CGI;
my $query = new CGI;
my %formvalues = $query->Vars;
B. The way I went about the password issue
without using GET, or even a POST with hidden
fields (better but still not ideal), is to
use CGI::Session to generate a unique session
ID once the username and password are authenticated.
Now I use the session ID in hidden fields where
I can, URL encoded using GET where I have to, but
the username and password are not being passed
around insecurely. The CGI::Session docs are
pretty decent on the examples, so you shouldn't
have much trouble with it. You can also use the
generated session ID as a cookie and fake
statefulness that way.
Your solution may require more effort because you are using a telnet session
and authenticating that way, where I'm just authenticating against either
.htaccess files or MySQL columns, so you've got another link in the chain
there.
But then again telnet passes username/password in plain ascii, so we're back
to the security issue on that end of it. Have you considered initiating an
SSH session rather than a telnet session? Just a thought...
Scot R.
inSite
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
Carl Jolley
Sent: Saturday, June 14, 2003 7:29 PM
To: ashish srivastava
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: RE: Help needed -- Net::telnet gives errors
On Sat, 14 Jun 2003, ashish srivastava wrote:
> Hi Ibrahim
> Thanks for ur help !
> I am able to connect to the UNIX server using Prompt=>'/[\w]$-/' (the
login
> being the user id with which the person has logged in eg. "tom-" ). But 1
> more prob.
> i have an application in which this perl script is being called by an HTML
> form (the usual Login screen ) and the login pwd is passed to the perl
> script
>
> This is my code for the HTML form
> ======================
> <html>
> <head>
> <title>Login Screen</title>
> </head>
> <body>
> <H1><center><U> User Log in Screen </U></H1></center>
> <br><br><hr>
> <form name="usrlogin"
> action="/cgi-bin/telp.pl" method="GET" >
> <center>
> User id :    
> <input type="text" name="fname" >
> <br>
> Password :
> <input type="password" name="fpwd" > <br><br>
> <input type="reset" Value="Reset" >    <input type="submit"
> Value="Submit" ><hr>
> </ center>
> </form>
>
> </body>
> </html>
>
> And this is the Perl code
> ================
>
> use CGI;
> use CGI::Carp qw(fatalsToBrowser);
> use Net::Telnet();
> print "Content-type:text/html\n\n";
> read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
> @pairs = split(/&/,$buffer);
> print " @pairs \n";
> $j=0;
> foreach $pair (@pairs) {
> ($name, $value) = split(/=/, $pair);
> $value =~ tr/+/ /;
> #($dummy,$name)= split(/?/,$name);
> $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
> $FORM{$name} = $value;
> $info[$j]= $value;
> $j++;
> }
>
>
> $t = new Net::Telnet (Timeout => 10, Prompt
> =>'/xxxx-/i',input_log=>'D:\server\logs\inputlog.txt');
> $t->open("xxx.xxxx.xxx.xxx") or die "Server not found \n";
> $t->login($usr, $pwd);
> @lines = $t->cmd("ls -l");
> foreach $temp(@lines)
> {
> print "<a href = \"cgi-bin/change_dir.pl\">$temp</a><br>";
> }
>
> ==> The problem is that when i clik submit in the login screen, it dosent
> paas the usrname nad pswd to the perl prog. I dont understand why this is
> happening.
> Please help.
>
It's because you said the method was GET but you tried to retreive the
value from the form as though the method was POST. When the method is GET
the form values are passed via the $ENV{QUERY_STRING}. I strongly suggest
that the GET method NOT be used when you are passing a password unless you
only want to keep the password secret from those who don't know how to
view/source on an HTML page. Also why are you "hand-parsing" the form
input anyway when the CGI module has already done it for you?
**** [EMAIL PROTECTED] <Carl Jolley>
**** All opinions are my own and not necessarily those of my employer ****
_______________________________________________
Perl-Win32-Users mailing list
[EMAIL PROTECTED]
To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs
BEGIN:VCARD
VERSION:2.1
N:Robnett;Scot
FN:Scot Robnett
ORG:inSite Internet Solutions
NOTE;ENCODING=QUOTED-PRINTABLE:Low cost web hosting, 50 MB disk space, easy and intuitive browser-based pag=
e builder and control panel, 2000 product shopping cart, contact management,=
site promotion, and free tech support:=0D=0A=0D=0A http://www.mawebcenters.=
com/insite2000
TEL;WORK;VOICE:(815) 206-2907
TEL;CELL;VOICE:(815) 790-9687
ADR;WORK;ENCODING=QUOTED-PRINTABLE:;;Square West Center=0D=0A454 W. Jackson St.;Woodstock;IL;60098;United State=
s of America
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:Square West Center=0D=0A454 W. Jackson St.=0D=0AWoodstock, IL 60098=0D=0AUni=
ted States of America
URL;HOME:http://www.insiteful.tv
URL;WORK:http://www.insiteful.tv
EMAIL;PREF;INTERNET:[EMAIL PROTECTED]
EMAIL;INTERNET:[EMAIL PROTECTED]
EMAIL;INTERNET:[EMAIL PROTECTED]
REV:20030223T194915Z
END:VCARD
