Beefy Boxes and Bandwidth Generously Provided by pair Networks
Just another Perl shrine
 
PerlMonks  

Not working in IIS and it is very Insecure

by raviguhani (Initiate)
on Aug 19, 2007 at 17:14 UTC ( #633625=perlquestion: print w/replies, xml ) Need Help??

raviguhani has asked for the wisdom of the Perl Monks concerning the following question:

Hi Monks
This code is working fine on command prompt of windows XP
But when using IIS in windows,
explorer shows this error

CGI Timeout
The specified CGI application exceeded the allowed time for processing. The server has deleted the process.

The code is :

#!c:\perl\bin\perl.exe print "content-type:text/html\n\n"; ########################################### use strict; use DBI; # Connect to the database # See footnote 1 my $dbh = DBI->connect('DBI:mysql:mysql', 'root', 'mysql') or die "Couldn't open database: $DBI::errstr; stopped"; ##################################### my $log_name = "Ravi"; my $zzz=0; while ($zzz<=0) { chomp($log_name); my $sth = $dbh->prepare("SELECT username FROM passwd WHERE +login='$log_name'") or die "Couldn't prepare: '$DBI::errstr'; stopped"; $sth->execute() or die "Couldn't execute: '$DBI::errstr'"; my ($username) = $sth->fetchrow_array(); print STDOUT "Item: $log_name Username: $username\n"; $zzz=$zzz+1; #my $zzz=$zzz+1; } # Disconnect from the database $dbh->disconnect(); #############################################

Further , As you can see,
this code is very insecure,
because all the database details and password is open to everyone,
how can i make it secure by hiding the password in the main .pl file

Replies are listed 'Best First'.
Re: Not working in IIS and it is very Insecure
by moritz (Cardinal) on Aug 19, 2007 at 17:22 UTC
    Since you are running in a webserver, you should not read from STDIN. If you want to access GET and POST parameters, use CGI.

    I guess your script waits infinitly for a line from STDIN, and then gets reaped by IIS.

Re: Not working in IIS and it is very Insecure
by fmerges (Chaplain) on Aug 19, 2007 at 18:18 UTC

    Hi,

    Yes, knowing that it's insecure is no excuse, fix it!

    Besides the fact that the connection data shouldn't be in the cgi script itself, it should be read from a configuration file, that's it's better to use RaiseError so that you don't need to check every time if something went wrong in the last query; that you should use CGI module for getting the parameters, etc... that using that way of handling input will bring you soon to problems with SQL Injection, see placeholders in DBI module. Take a look at the code itself because this while doesn't make much sense...

    Regards,

    fmerges at irc.freenode.net
      Thank you very much, i am searching for some tutorial on security regarding CGI scripts, and on the Code part... as you can see i am very new to perl, i am reading some header commands... i will definetly improve it...

        Obligatory link to Ovid's CGI Course, which is as much about basic security as CGI.

        How can you feel when you're made of steel? I am made of steel. I am the Robot Tourist.
        Robot Tourist, by Ten Benson

Re: Not working in IIS and it is very Insecure
by wfsp (Abbot) on Aug 20, 2007 at 06:42 UTC

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://633625]
Approved by TStanley
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others wandering the Monastery: (9)
As of 2019-12-09 16:27 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?