I'm not an expert in Perl by any means, but here I went ahead and wrote a tiny login script. I would like to make the script as secure as possible, both from a malicious user entering in bogus data, and from my own dumb self :)
Standard CGI/Perl stuff here. Later on I'm going to implement some timing checks against brute force attacks, but I'm not too worried about such a thing, honestly. I'm also not incredibly concerned with efficiency, but if there is some *major* noob mistake I have made, feel free to point it out and I'll make sure you get some points. Point out as little or as much things as you'd like that is wrong with this script, and I will split the points accordingly.
So without further ado, here it is (I apologize for the poor use of style. I'll get better as I go along). Thank you for your time.
#!/usr/bin/perl
use strict;
use Crypt::PasswdMD5;
use CGI 'param','header';
$CGI::POST_MAX = 128;
$CGI::DISABLE_UPLOADS = 1;
open PWFILE, 'passwords' # Each line is of "user:MD5" style.
or die "can't open it";
my @pwfile = <PWFILE>; # Slurpie it! - not a terribly large file, so no worries.
close PWFILE;
my $user = lc(param("user"));
my $pass = param("pass");
print header( {-type=>'text/plain',-expi
res=>'now'
} );
for (@pwfile) {
if (
m/
^$user: # Line begins with "$user:".
(\$1\$.{8}\$) # Backreference 1: 12 character salt value: "$1$xxxxxxxx$".
(.{22}) # Backreference 2: 22 character encrypted password.
$ # Line ends.
/ox
&& $1.$2 eq unix_md5_crypt($pass,$1) # When we match $user, check the password.
)
{
print "Authorized..."; # Do some quick/short stuff here.
exit; # No more need to continue the search.
}
}
print "Incorrect username or password."; # If you can read this, then we must not have found a match!
Start Free Trial
