Syntactic Confectionery Delight | |
PerlMonks |
Re: DBI & MySQL Login Testby Sewi (Friar) |
on Aug 25, 2009 at 06:21 UTC ( [id://790992]=note: print w/replies, xml ) | Need Help?? |
As others said before: You (as many, many others) suffered from the biggest *SQL problem: It's a language itself and it could be hijacked. I experienced cases where placeholders didn't work depending on the OS, type and version of DB client libs, DB server software and following SQL statements. Here is my solution, assuming you already checked that both $uname and $pword are not empty: What happens? First: Be really,really,really sure that $tablename is a configured value! If this source is placed into a sub (which may get $tablename as parameter), it would be wise to do a regular expression-check on the value before using it at all! Second, let's look at the SQL. Assuming You'll notice that no SQL injection is possible any longer, because everything which is read from the user is converted to hex which couldn't harm the SQL string. This statement requests the number (COUNT(*)) of users matching this username and password. Assuming your "username" column is unique, a value of 0 says "There is no user with this password" while a COUNT of 1 matching row says "I found a user with this username and that password" - which is what you want. The latter is easy: Instead of preparing a statement, executing it and fetching the result (which was missing in your post), you could also combine all three in one command. selectrow_array returns an ARRAY containing the results for the SELECTed columns. In this case only one: The result of the COUNT. Last note: If you've got other things to fetch from the user DB, you could also combine this:
(Everything shown here is based on Sybase SQL products, but should also work on mySQL and other SQL servers. As I don't use mySQL mysqlf, I can't test it, sorry.)
In Section
Seekers of Perl Wisdom
|
|