in reply to Preventing changes on the

What if you trapped all calls to the page that did not have the proper query string by printing out an error page for each URL that did not match; something like:

#/usr/bin/perl use CGI qw(:standard); use strict; my $q=new CGI; # Check values from the query string unless ($q->param('user') eq 'foolish' && $q->param('id') eq '2') { print $q->header, $q->start_html(-title=>'Page not found'); print h2("This page was not found"), $q->end_html; exit; } # Real page code follows

This only works if the script were the first page called from a blank location line by a user. If you use the query string user=foolish&id=2 in a redirect, hidden value, or any other programmatic call to the script, the keys can easily be seen by anyone running the scripts. Then I think you will need one of the more hard-core authentication methods recommended above.

Live in the moment

Replies are listed 'Best First'.
Re: Re: Preventing changes on the
by dmmiller2k (Chaplain) on Feb 19, 2002 at 02:24 UTC

    That, of course, won't work if (as appears to be the case) 'user' and 'id' are in fact variables specific to each user.

      You are right. A more complicated scheme would be required for multiple user-id passwords. One method could be to store these user-id pairs in advance in a hash data file, say ../data/user_id, then check the incoming user-id pair against values in the existing hash. For example:

      #/usr/bin/perl use CGI qw(:standard); use GDBM_File; use strict; my $q=new CGI; # Assume an existing saved hash %user_id with 'user' as the key and ' +id' as the value # created earlier by $user_id{"$user"} = $id and stored in ../data/us +er_id my $verify = "../data/user_id"; tie %user_id, 'GDBM_File', $verify, O_RDWR, 0666 or die "Can't tie $ve +rify:$!"; my $user = $q->param('user'); my $id = $q->param('id'); # Check values from the query string against values in hash unless (exists $user_id{"$user"} && $user_id{"$user"} = $id) { print $q->header, $q->start_html(-title=>'Page not found'); print h2("This page was not found"), $q->end_html; exit; } untie %user_id; # Real page code follows
      By now one has other worries, like being sure the hash is locked while a tie is taking place, about how to update and delete values from the hash, about passing a name-password without security, etc.

      Better advice might be to learn about SSL and OS/Web Server authentication for the particular target platform.