Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw
 
PerlMonks  

Re: CGI Change Password (LDAP)

by tachyon (Chancellor)
on Dec 11, 2004 at 01:23 UTC ( #414035=note: print w/ replies, xml ) Need Help??


in reply to CGI Change Password (LDAP)

Unless you run this over https it is insecure as the password goes over the wire in plaintext. You have a CGI object. It contains all the params. Why not just pass that to your validate and change functions? Typically I use the return null string if function succeeds or error string if it fails. This lets you avoid globals like your g_err_msg. Then the app logic goes:

if ( $q->param ) { my $err_msg = validate( $q ); if ( $err_msg ) { show_form($err_msg); } else { my $msg = change_pass( $q ); show_form( $msg ); # msg may be error or success message } } else { show_form(); } exit 0;

I can't see how it might be exploited but is is usually wise to limit CGI user input to a selected range of characters. The null byte hack is one issue this attends to.

cheers

tachyon


Comment on Re: CGI Change Password (LDAP)
Download Code

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://414035]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others meditating upon the Monastery: (6)
As of 2014-12-18 04:50 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (41 votes), past polls