Message Board Password

Hi some years ago I brought a message board system with a thing that every post needs your username and password, as time has gone by I need to protect other forms but use the same usernames and passwords for my clients.

I have a simple form running 2 input boxes, one a text called name and one a password called password.

this is my perl code, the if statements at the end also default to "wrong" even if the strings match, I have outputed all the password stuff to screen and sure enough if the right password is entered the 2 match, if the wrong password is entered they don't match. but still my swtich "if" don't work.

Also I get a 500 error althoguht my append file is updated.

I am testing on a server so can't see the error log, please here the code follows.

#!/usr/bin/perl


$mdata="/members";
$save2path = "/holding/idtest.txt";

read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
@pairs = split(/&/, $buffer);
foreach $pair (@pairs) {
($name, $value) = split(/=/, $pair);
$value =~ tr/+/ /;
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$input{$name} = $value;
}


$user_verify_error=0;
$ufile=$input{'name'};
# $input{'author'}=$input{'name'};
$ufile=lc($ufile);
$ufile=~ s/\s//g;
open (members, "<$mdata/$ufile.profile") or $user_verify_error=1;
@members=<members>;
close(members);

if (@members) {
$member_title=@members[0];
$userpass=lc($input{'password'});
$userpass=crypt("$userpass", MB);
chomp(@members[2]);
unless ($userpass eq "@members[2]") {
$userpass_verify_error=1;
}
}




if ($user_verify_error==0){
open (INFO,">>$save2path");
print INFO "***Right***\n\n";
close (INFO);
}

if ($user_verify_error==1){
open (INFO,">>$save2path");
print INFO "***Wrong***\n\n";
close (INFO);
}

PS i am very new to perl and slowing working it out so please play nice, lol....

LVL 1
Dan-LLAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Adam314Connect With a Mentor Commented:
Instead of your print "Location", try this:
print $cgi->redirect($nextpage);

Note that the $nextpage must contain a full uri, beginning with "http://".


If that doesn't solve the problem, put this right after the my $cgi = ...:
    print $cgi->header();
And what is the output?
0
 
Adam314Commented:
You should use the CGI module to get the user input, instead of reading from STDIN.  You can then get rid of the read(STDIN,...) and the loop after it (approx lines 7-14 on what you posted).

To help find the source of error, use the CGI::Carp module.  Here is an updated version of your script:

How are you uploading the script to the server?  If using FTP, make sure to use ASCII mode.

Also make sure the script is executable.
#!/usr/bin/perl -w
use strict;
use CGI::Carp qw(fatalsToBrowser warningsToBrowser);
use CGI;
 
my $cgi = new CGI;
 
#Configuration data
my $mdata="/members";
my $save2path = "/holding/idtest.txt";
 
my $user_verify_error=0;
my $ufile = lc($cgi->param('name'));
$ufile =~ s/\s//g;
 
 
unless(open(MEMBERS, "<$mdata/$ufile.profile")) {
	#No need to continue...
	Wrong();
	exit;
}
my @members=<MEMBERS>;
close(members);
 
my $member_title=@members[0];
$userpass=crypt(lc($cgi->param('password')), 'MB');
chomp(@members[2]);
unless ($userpass eq "@members[2]") {
	Wrong();
	exit;
}
 
open (INFO,">>$save2path");
print INFO "***Right***\n\n";
close (INFO); 
 
sub Wrong {
	open (INFO,">>$save2path");
	print INFO "***Wrong***\n\n";
	close (INFO); 
}

Open in new window

0
 
ozoCommented:
when you  outputed all the password stuff to screen did you also show the end of line characters that would have been read from <MEMBERS>
did the end of line characters match?


open(MEMBERS, "<$mdata/$ufile.profile" ) can be dangerous if $ufile came from user input,
the user could trick you into opening a file you did not intend to
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
Dan-LLAuthor Commented:
right, ok, think I follow you, this is now the error that I can "hooray, thanks" see, I can see errors, that does make me happy, I'm odd I know.

This is they.
Global symbol "$userpass" requires explicit package name at idchecker.pl line 26.
Global symbol "$userpass" requires explicit package name at idchecker.pl line 28.
0
 
Dan-LLAuthor Commented:
ozo, not sure I understand the risks, $ufile being the username, I the chmod is set so others can't create/upload and name.profile file, if the username does not exist the open will fail via error handling or just DIE.

It is only protecting a simple message board from un-wanted attention but if you are saying the risks are there I need to have a rethink, the thing is the message board has been live since 2003 and seemed safe and sound. Got me a little worried, but I am more worried about not getting adams code working, I feel like a real novice now.
0
 
Dan-LLAuthor Commented:
HELP, lol...

Global symbol "$userpass" requires explicit package name at idchecker.pl line 26.
Global symbol "$userpass" requires explicit package name at idchecker.pl line 28.

call me thick if you like, I have tried and failed to clear this, I have read a dozen other questions and still stuck,  Adam, you have go me so far, push me a little more, you and almost smell the 500 points....
(i need a drink)
0
 
ozoCommented:
splain
/usr/local/bin/splain: Reading from STDIN
Global symbol "$userpass" requires explicit package name at idchecker.pl line 26.
Global symbol "$userpass" requires explicit package name at idchecker.pl line
        26 (#1)
    (F) You've said "use strict vars", which indicates that all variables
    must either be lexically scoped (using "my"), declared beforehand using
    "our", or explicitly qualified to say which package the global variable
    is in (using "::").
0
 
Dan-LLAuthor Commented:
right it's 1 in the morning, I've try trying to get this to work for 4 hours, need sleep...

ozo I kinda get what you are saying but I can't seem to get the correct syntax, thing is my appended file is outputing Right or Wrong when the pass word is entered, sometimes I get a  500 error other times I get the brower errors from above.

Maybe this is beyond me, I'm a graphics designer not a coder, if I could just get this cracked, no, need sleep.

tried

my $userpass="";
my $userpass=$userpass::<MEMBERS>;
 and all the things you can try with the above but I'm just not smart enough.


0
 
mjcoyneCommented:
Try this (Adam's code re-worked):

#!/usr/bin/perl -w
use strict;
use CGI::Carp qw(fatalsToBrowser warningsToBrowser);
use CGI;

my $cgi = new CGI;

#Configuration data
my $mdata="/members";
my $save2path = "/holding/idtest.txt";

my $user_verify_error=0;
my $ufile = lc($cgi->param('name'));
$ufile =~ s/\s//g;

unless(open(MEMBERS, "<$mdata/$ufile.profile")) {
    #No need to continue...
    Wrong();
    exit;
}

my @members=<MEMBERS>;
close(MEMBERS);

my $member_title=$members[0];
my $userpass=crypt(lc($cgi->param('password')), 'MB');
chomp($members[2]);

unless ($userpass eq "$members[2]") {
    Wrong();
    exit;
}

open (INFO,">>$save2path");
print INFO "***Right***\n\n";
close (INFO);

sub Wrong {
    open (INFO,">>$save2path");
    print INFO "***Wrong***\n\n";
    close (INFO);
}

0
 
bluelizardCommented:
hm... definitely it would be good to declare $userpass, but there's something else i want to mention (maybe it's just me):

in the test for the passwords, you set the var $userpass_verify_error to 1, but a few lines below, you check the var $user_verify_error.  these two aren't the same... didn't you intend them to be the same?


--bluelizard
0
 
Adam314Commented:
The $userpass_verify_error is no longer used.  I left it in my version, and mjcoyne didn't remove it.

The way the program now works is: as soon as the program figures the password isn't valid (either could not open the profile file or password doesn't match), it called the Wrong subroutine and exits.  If by the time it gets to the "right" part of the program it hasn't exited, then the username/password must be valid.

0
 
Dan-LLAuthor Commented:
ok, I did some of the changes before mjcoyne posted, I am now using the latest one, adams re-worked one. the idtest.txt is reporting ****right**** and ****wrong**** as needed, but why am I still getting 500 error, do I need to do something else to tell the code it has finished like end; or something.

I am going to replace the writting to the appended file to redirects, either to next stage or sorry password is wrong  but I can't move on until I can work out why the 500 comes up, I thought I should be left with a white page once the code had ran.

The code
I have put ***** where my account name goes on the server, but they are just for posting on here.

#!/usr/bin/perl -w
use strict;
use CGI::Carp qw(fatalsToBrowser warningsToBrowser);
use CGI;

my $cgi = new CGI;

#Configuration data
my $mdata="/home/users/******/html/leader-lines.com/cgi-bin/amb/members";
my $save2path = "/home/users/******/html/leader-lines.com/v10/e-mag/yourlines/build/holding/idtest.txt";
my $nextpage="http://www.leader-lines.com/v10/e-mag/yourlines/build/step2fv.html";
my $ufile = lc($cgi->param('name'));
$ufile =~ s/\s//g;

unless(open(MEMBERS, "<$mdata/$ufile.profile")) {
    Wrong();
    exit;
}

my @members=<MEMBERS>;
close(MEMBERS);

my $member_title=$members[0];
my $userpass=crypt(lc($cgi->param('password')), 'MB');
chomp($members[2]);

unless ($userpass eq "$members[2]") {
    Wrong();
    exit;
}

open (INFO,">>$save2path");
print INFO "***Right***\n\n";
close (INFO);
print "Location: $nextpage";


sub Wrong {
    open (INFO,">>$save2path");
    print INFO "***Wrong***\n\n";
    close (INFO);
print "Location: $nextpage";
}


with or without my $ nextpage lines the code errors 500 with 216 the first number on the error page and 0 being the last number at the bottom of the error code.


try it at

http://www.leader-lines.com/v10/e-mag/yourlines/build/step0.html

username: id
password: thetest

(I will remove this once you are done of course, lol..)
0
 
Dan-LLAuthor Commented:
odd as it seems iI tried
print "Status: 302 Moved\nLocation: $nextpage\n\n";

that I found in an old script, yours is neat so gone with that.

Thanks to all that has helped with this, I am a happy man, even my english has improved.
0
 
Dan-LLAuthor Commented:
thank you so much, i know others helped to but the bulk of the work was done by you so you get the points, I will expect someone will ask for a share.
0
 
Adam314Commented:
I don't mind a share.  Award the points based on what you think is best.  If more than one person help, that is fine.
0
All Courses

From novice to tech pro — start learning today.