Re: CGI Change Password (LDAP)


Syntactic Confectionery Delight
	PerlMonks

Re: CGI Change Password (LDAP)

by tachyon (Chancellor)

on Dec 11, 2004 at 01:23 UTC ( #414035=note: print w/ replies, xml )

Need Help??

in reply to CGI Change Password (LDAP)

Unless you run this over https it is insecure as the password goes over the wire in plaintext. You have a CGI object. It contains all the params. Why not just pass that to your validate and change functions? Typically I use the return null string if function succeeds or error string if it fails. This lets you avoid globals like your g_err_msg. Then the app logic goes:

if ( $q->param ) {
    my $err_msg = validate( $q );
    if ( $err_msg ) {
        show_form($err_msg);
    }
    else {
        my $msg = change_pass( $q );
        show_form( $msg );   # msg may be error or success message
    }
}
else {
    show_form();
}
exit 0;
[download]

I can't see how it might be exploited but is is usually wise to limit CGI user input to a selected range of characters. The null byte hack is one issue this attends to.

cheers

tachyon

Comment on Re: CGI Change Password (LDAP) Download Code

In Section Seekers of Perl Wisdom

Node Status^?

node history
Node Type: note [id://414035]
help

Chatterbox^?

How do I use this? | Other CB clients

Other Users^?

Others scrutinizing the Monastery: (7)

As of 2013-05-19 04:35 GMT

Sections^?

Information^?

Find Nodes^?

Leftovers^?

Voting Booth^?

The best material for plates (tableware) is:

Results (396 votes), past polls