Since you are using CGI, you may as well use the CGI HTML generating functions, too.
#!/usr/bin/perl -wT
use strict;
use CGI::Pretty qw( :standard );
my ( $p, $password );
$p="howdy";
$password=param('password');
' Here's where we taint check. $password is undef
' if it doesn't match the regex
( $password ) = ( $password =~ /^(\w+)$/ );
if (defined $password and $p eq $password) {
print header,
start_html( -title => 'Password Check',
-BGCOLOR => 'navy',
-text => 'white' ),
h1( 'It worked' ),
hr(),
br(),
end_html;
} else {
print header,
start_html( -title => 'Password Check',
-BGCOLOR => 'orange' ),
h1( 'Loser -- Try Again' ),
hr(),
br(),
end_html;
}
If you enter a valid password, the following is output:
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US"><head><title>P
+assword Check</title>
</head><body text="white" bgcolor="navy">
<h1>
It worked
</h1>
<hr><br></body></html>
Once you get used to them, they are very handy.
Incidentally, anyone know why <hr> and friends aren't represented as <hr />? I thought those were necessary for valid XHTML (though I know this is transitional, I still thought it was done that way). I am using CGI.pm 2.74.
You questions were:
- What are some basic things I can do to make this script more secure?
Read perlre. You can also read through <shameless plug>this incomplete CGI course</shameless plug> for more information on security.
- If need be, would it be wise to use this script on a business web site?
No. It's a bad security model. See link in question #1 for more info.
- Lastly, is it a wise decision to have the actuall password name in the script or should I call it from a txt file (or something else)?
Read the link that tinman listed. It looked pretty good (though I just scanned it, so take me with a grain of salt).
I hope these comments don't seem discouraging. You're asking the right questions :)
Cheers,
Ovid
Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.
-
Are you posting in the right place? Check out Where do I post X? to know for sure.
-
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big>
<blockquote> <br /> <dd>
<dl> <dt> <em> <font>
<h1> <h2> <h3> <h4>
<h5> <h6> <hr /> <i>
<li> <nbsp> <ol> <p>
<small> <strike> <strong>
<sub> <sup> <table>
<td> <th> <tr> <tt>
<u> <ul>
-
Snippets of code should be wrapped in
<code> tags not
<pre> tags. In fact, <pre>
tags should generally be avoided. If they must
be used, extreme care should be
taken to ensure that their contents do not
have long lines (<70 chars), in order to prevent
horizontal scrolling (and possible janitor
intervention).
-
Want more info? How to link
or How to display code and escape characters
are good places to start.
