Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl-Sensitive Sunglasses
 
PerlMonks  

Re: CGI Change Password (LDAP)

by tachyon (Chancellor)
on Dec 11, 2004 at 01:23 UTC ( #414035=note: print w/ replies, xml ) Need Help??


in reply to CGI Change Password (LDAP)

Unless you run this over https it is insecure as the password goes over the wire in plaintext. You have a CGI object. It contains all the params. Why not just pass that to your validate and change functions? Typically I use the return null string if function succeeds or error string if it fails. This lets you avoid globals like your g_err_msg. Then the app logic goes:

if ( $q->param ) { my $err_msg = validate( $q ); if ( $err_msg ) { show_form($err_msg); } else { my $msg = change_pass( $q ); show_form( $msg ); # msg may be error or success message } } else { show_form(); } exit 0;

I can't see how it might be exploited but is is usually wise to limit CGI user input to a selected range of characters. The null byte hack is one issue this attends to.

cheers

tachyon


Comment on Re: CGI Change Password (LDAP)
Download Code

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://414035]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others drinking their drinks and smoking their pipes about the Monastery: (15)
As of 2015-07-06 21:05 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The top three priorities of my open tasks are (in descending order of likelihood to be worked on) ...









    Results (83 votes), past polls