Beefy Boxes and Bandwidth Generously Provided by pair Networks
Do you know where your variables are?
 
PerlMonks  

Re: Preventing changes on the

by Speedy (Monk)
on Feb 19, 2002 at 01:30 UTC ( [id://146288]=note: print w/replies, xml ) Need Help??


in reply to Preventing changes on the

What if you trapped all calls to the page that did not have the proper query string by printing out an error page for each URL that did not match; something like:

#/usr/bin/perl use CGI qw(:standard); use strict; my $q=new CGI; # Check values from the query string unless ($q->param('user') eq 'foolish' && $q->param('id') eq '2') { print $q->header, $q->start_html(-title=>'Page not found'); print h2("This page was not found"), $q->end_html; exit; } # Real page code follows

This only works if the script were the first page called from a blank location line by a user. If you use the query string user=foolish&id=2 in a redirect, hidden value, or any other programmatic call to the script, the keys can easily be seen by anyone running the scripts. Then I think you will need one of the more hard-core authentication methods recommended above.

Live in the moment

Replies are listed 'Best First'.
Re: Re: Preventing changes on the
by dmmiller2k (Chaplain) on Feb 19, 2002 at 02:24 UTC

    That, of course, won't work if (as appears to be the case) 'user' and 'id' are in fact variables specific to each user.

      You are right. A more complicated scheme would be required for multiple user-id passwords. One method could be to store these user-id pairs in advance in a hash data file, say ../data/user_id, then check the incoming user-id pair against values in the existing hash. For example:

      #/usr/bin/perl use CGI qw(:standard); use GDBM_File; use strict; my $q=new CGI; # Assume an existing saved hash %user_id with 'user' as the key and ' +id' as the value # created earlier by $user_id{"$user"} = $id and stored in ../data/us +er_id my $verify = "../data/user_id"; tie %user_id, 'GDBM_File', $verify, O_RDWR, 0666 or die "Can't tie $ve +rify:$!"; my $user = $q->param('user'); my $id = $q->param('id'); # Check values from the query string against values in hash unless (exists $user_id{"$user"} && $user_id{"$user"} = $id) { print $q->header, $q->start_html(-title=>'Page not found'); print h2("This page was not found"), $q->end_html; exit; } untie %user_id; # Real page code follows
      By now one has other worries, like being sure the hash is locked while a tie is taking place, about how to update and delete values from the hash, about passing a name-password without security, etc.

      Better advice might be to learn about SSL and OS/Web Server authentication for the particular target platform.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://146288]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others studying the Monastery: (5)
As of 2024-05-30 03:07 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found