http://qs321.pair.com?node_id=166147 

   1: When I get a chance I will repost this with the changes suggested by
   2: you fine Perl Monks.  Remember This is my second perl script
   3: attempt.  I know I have much to learn.  Please keep the feedback coming
   4: 
   5: UPDATE[05/15/2002]: I have begun 'fixing' this code.  I realize I still have not
   6: incorporated the use of strict; and I still have textual
   7:  passwords that need to be encrypted.  I'm still reading! :)
   8: 
   9: UPDATE[05/16/2002]: I have incorporated crypt() into the code.
  10:   I also am now using alot of the CGI.pm features.
  11:  I am having one heck of a time adding strict to this though.
  12: 
  13: UPDATE[05/17/2002]: I have actually gotten strict to work! I had to do a little
  14:  restructuring but it works!  I am going to post a Node in SoPW.  See if there
  15:  is anything else I need to change on this before I call it good code!
  16: 
  17: 
  18: 
  19: #!/usr/bin/perl -w
  20: # (Put the address to the location of PERL on your system.  Find
  21: #  it with 'which perl')
  22: use strict;
  23: use CGI qw/:standard/;
  24: use CGI::Cookie;
  25: 
  26: # Where are you keeping the graphic that will be used in place of of
  27: # The requested graphic (thru ubersecure.cgi?img=Name) if password is not found
  28: my $imgfile = "/home/user/www/cgi-bin/ubersecure/secure.gif";
  29: 
  30: # Where you are keeping UberData.txt which holds your KEY|Location
  31: my $datafile = "/home/user/www/cgi-bin/ubersecure/uberdata.txt";
  32: 
  33: # Will You need multiple logins or a single login?  (1=multiple,0=single)
  34: my $multi_in = 1;
  35: 
  36: # This should point to your uberaccess.txt which holds the name|pass information
  37: # This is not required for the single user mode
  38: my $accessfile = "/home/user/www/cgi-bin/ubersecure/uberaccess.txt";
  39: 
  40: # Password required to login for single user mode.(Default pass is: 1234)
  41: # This will also be a valid password for multi user mode.
  42: # You MUST encrypt this password, you can use the following tool:
  43: # http://www.YourSite.com/cgi-bin/ubersecure/ubersecure.cgi?url=passwd
  44: my $pass = "USaH0nvPrucUo";
  45: 
  46: # UserName required to login for single user mode.
  47: # This will also be a valid login for multi user mode.
  48: my $goodnick = "1234";
  49: 
  50: # Address to this script.
  51: my $thisscript = "http://www.YourSite.com/cgi-bin/ubersecure.cgi";
  52: 
  53: #Name of the page that you are logging into.
  54: my $pagename = "UberSecure Test Page";
  55: 
  56: #Send mail to YOU when someone logs in?
  57: # 1 = On
  58: # 0 = Off
  59: my $send_mail = 0;
  60: 
  61: #Send mail to YOU when a Keyword / URL isn't found?
  62: my $send_mail_badurl = 0;
  63: 
  64: # UNIX path to the mail program on your system.
  65: # elm, Mail, etc.  If you run into problems, turn mail sending off.
  66: my $mail = "/var/qmail/bin/qmail-inject";
  67: 
  68: #Email address to send mail to (your personal e-mail address.)
  69: #You MUST put a backslash (\) in front of the 'at' (@) sign in the e-mail
  70: # address.
  71: my $to_email = "UberDragon13\@hotmail.com";
  72: 
  73: # Do you wish to log logins?  (1/0)
  74: # LOG file is NOT auto cleared.  You will have to edit it by hand.  If you
  75: # delete it, remember to chmod the new file 644 when you re-make it.
  76: my $log = 1;
  77: 
  78: #Ask for an e-mail address?  (Will be logged.)
  79: my $email = 0;
  80: 
  81: # What is the address to the log file?  (Remember to create the file and
  82: #                                         to chmod it 644)
  83: my $log_file = /home/user/www/cgi-bin/ubersecure/ubersecure.log";
  84: 
  85: # Path to your system's date program for logging.
  86: my $date_prog = "/bin/date";
  87: 
  88: # Settings for page colors.
  89: my $text = "#000000";
  90: my $link = "green";
  91: my $vlink = "#663300";
  92: my $bgcolor = "#FFFFFF";
  93: my $background = "http://www.YourSite.com/graphics/rb-bak6.jpg";
  94: my $bgproperties = "fixed";
  95: ##########################################################################
  96: my $date = `$date_prog '+%D %H:%M:%S'`;
  97: my $salt = "US";
  98: my %in = &getcgi;
  99: 
 100: if ($in{'url'} eq "passwd") { &passwd; exit; }
 101: 
 102: # Check for presence of Cookie and Parse info into $in
 103: if ( (cookie('pass')) && (cookie('name')) ) {
 104:    $in{'name'} = cookie('name');
 105:    $in{'pass'} = cookie('pass');
 106: }
 107: 
 108: # Check for presence of Access File and Parse info into name and password
 109: if ($multi_in == 1) {
 110:   open (DATA, "<$accessfile") or access_error and exit;
 111:   while(<DATA>){
 112:     chomp;
 113:     my ($acc,$accpass) = split'\|',$_;
 114:     if ( ($acc eq $in{'name'}) && ($accpass eq $in{'pass'}) ) {
 115:       $goodnick = $acc;$pass = $accpass;
 116:     }
 117:   }
 118:  close(DATA);
 119: 
 120: }
 121: # Check for img link and no password
 122: if ( ($in{'img'}) && ($in{'pass'} ne $pass) ) {
 123:   print header;
 124:   open(FILE,"$imgfile");
 125:   while(<FILE>) { print $_; }
 126:   exit;
 127: }
 128: # Make sure its a valid login then do commands
 129: if ( ($in{'name'} eq $goodnick) && ($in{'pass'} eq $pass) ) {
 130:   &send_mail;&log_in;
 131:   my $cookie_set1 = "Set-Cookie: name=$in{'name'}\n";
 132:   my $cookie_set2 = "Set-Cookie: pass=$in{'pass'}\n";
 133:   print $cookie_set1;
 134:   print $cookie_set2;
 135:   print header;
 136:   open (DATA, "<$datafile") or &data_error and exit;
 137:   while(<DATA>){
 138:     my ($key,$url)=split'\|',$_;
 139:     if($key eq $in{'url'}){
 140:       open(FILE,"$url");
 141:       while(<FILE>) { print $_; }
 142:       exit;
 143:     }
 144:     if($key eq $in{'img'}){
 145:       open(FILE,"$url");
 146:       while(<FILE>) { print $_; }
 147:       exit;
 148:     }
 149: 
 150:   }
 151:   close(DATA); &key_error; exit;
 152: }
 153: # Display Page For Login Error Due to bad pass
 154: elsif ( ($in{'pass'}) && ($in{'pass'} ne $pass) ) {
 155: 	&print_badlogin;exit;
 156: }
 157: # Display Page for Login Error Due to Bad Login Name
 158: elsif ( ($in{'name'}) && ($in{'name'} ne $goodnick) ) {
 159: 	&print_badlogin;exit;
 160: }
 161: # Put up page for user to login
 162: else {
 163: 	print header;&print_login;exit;
 164: }
 165: ##########################################################################
 166: # If Specified Send Email to Webmaster about UberSecure
 167: ##########################################################################
 168: 
 169: sub send_mail {
 170:  if ( cookie() ) { return 1; }
 171:   if ($send_mail == 1) {
 172:    if (-x $mail) {
 173:     open(MAIL, "|$mail");
 174:     print MAIL ("To: $to_email\n",
 175:                 "From: UberSecure_v1.1.0\n",
 176:                 "Subject: Login Detected by $in{'name'}\n",
 177:                 "User has logged in to UberSecure v1.1.0\n\n",
 178:                 "$ENV{'REMOTE_ADDR'} (with $ENV{'HTTP_USER_AGENT'})\n\n",
 179:                 "$date\n",
 180:                 "  Name: $in{'name'}\n");
 181: 	if ($email == 1) {
 182: 	  print MAIL "  E-mail: $in{'email'}\n";
 183: 	}
 184: 	close(MAIL);
 185:   }
 186:  }
 187: }
 188: sub send_mail_badurl {
 189:  if ($send_mail_badurl == 1) {
 190:   if (-x $mail) {
 191:    open(MAIL, "|$mail");
 192:    print MAIL ("To: $to_email\n",
 193:                "From: UberSecure_v1.1.0\n",
 194:                "Subject: Bad URL Key Attempt at $in{'url'}$in{'img'}\n",
 195:                "$in{'name'} has logged in to UberSecure v1.1.0
 196:                                             to access --\> $in{'url'}\n\n",
 197:                "Unfortunately $in{'url'}$in{'img'} does not exist
 198:                                             in your data file.\n\n",
 199:                "$ENV{'REMOTE_ADDR'} (with $ENV{'HTTP_USER_AGENT'})\n\n",
 200:                "$date\n",
 201:                "  Name: $in{'name'}\n");
 202: 	if ($email == 1) {
 203: 	  print MAIL "  E-mail: $in{'email'}\n";
 204:    }
 205:    close(MAIL);
 206:   }
 207:  }
 208: }
 209: ##########################################################################
 210: # Display Error Page if The Password is Incorrect
 211: ##########################################################################
 212: 
 213: sub print_badlogin {
 214: &logerror("Login attempt for $in{'name'} Invalid Attempt");
 215: print header;
 216: begin_html("Bad Login Information to $pagename");
 217: 
 218: print <<"html";
 219: <center>
 220: <font size=5>Login Error to: <b>$pagename</b><br><br>
 221: </font>
 222: Please try your Login again!  <a href="$thisscript?url=$in{'url'}">click here!</a>
 223: </center>
 224: html
 225: print end_html;
 226: exit;
 227: }
 228: ##########################################################################
 229: # Display Login Page if No Login/Pass In Cookie
 230: ##########################################################################
 231: 
 232: sub print_login {
 233:   begin_html("Login to $pagename");
 234:   print "<font size=5>Please login to <u>$pagename</u></font>";
 235:   print start_form(-method=>'post',
 236: 			    -action=>"$thisscript?url=$in{'url'}");
 237:   print textfield(-name=>'name',
 238: 			    -size=>25,
 239: 			    -maxlength=>25);print " Login Name<BR>";
 240:   if ($email == 1) {
 241:   print textfield(-name=>'email',
 242: 				-size=>25,
 243: 				-maxlength=>25);print " Email Address<BR>";
 244:   }
 245:   print password_field(-name=>'pass',
 246: 				-size=>25,
 247: 				-maxlength=>25);print " Login Password<BR><BR>";
 248: 
 249:   print hidden(-name=>'url',
 250: 			     -default=>$in{'url'});
 251: 
 252: 
 253:   print submit(-name=>'Submit',
 254:     			-value=>'Submit');
 255: 
 256:   print endform;print end_html;
 257:   exit;
 258: }
 259: ##########################################################################
 260: # Parse Information sent thru the URL Command line into $in{}
 261: ##########################################################################
 262: 
 263: sub getcgi {
 264:     my $cgi = CGI->new();
 265:     my %in = %{$cgi->Vars};
 266:     if ($in{'pass'}){$in{'pass'} = crypt($in{'pass'}, $salt);}
 267:     return %in;
 268: }
 269: 
 270: sub logerror {
 271:   if (! -e "$log_file") {
 272: 		open(FILE, ">$log_file");
 273: 		print FILE "File START $date\n";
 274: 		close(FILE);
 275:   }
 276:   if ($log == 1) {
 277: 	my $error = $_[0];
 278: 	open(FILE, ">>$log_file");
 279: 	print FILE "ERROR: $ENV{'REMOTE_ADDR'} (with $ENV{'HTTP_USER_AGENT'}) $date";
 280:    print FILE "  Name: $in{'name'}\n";
 281: 	if ($email == 1) {
 282: 		print FILE "  E-mail: $in{'email'}\n";
 283: 	}
 284:    if($in{'url'}){print FILE "  Error Msg: $error [?url=$in{'url'}]\n\n";}
 285:    if($in{'img'}){print FILE "  Error Msg: $error [?img=$in{'img'}]\n\n";}
 286: 	close(FILE);
 287:   }
 288: }
 289: 
 290: sub log_in {
 291:    if ($log == 1) {
 292: 	if (! -e "$log_file") {
 293: 		open(FILE, ">$log_file");
 294: 		print FILE "File START $date\n";
 295: 		close(FILE);
 296: 	}
 297: 	open(FILE, ">>$log_file");
 298: 	print FILE "LOGIN: $ENV{'REMOTE_ADDR'} (with $ENV{'HTTP_USER_AGENT'}) $date";
 299:    print FILE "  Name: $in{'name'}\n";
 300: 	if ($email == 1) {
 301: 		print FILE "  E-mail: $in{'email'}\n";
 302: 	}
 303:    if($in{'url'}){print FILE "  Command: ?url=$in{'url'}\n\n";}
 304:    if($in{'img'}){print FILE "  Command: ?img=$in{'img'}\n\n";}
 305: 	close(FILE);
 306:    }
 307: }
 308: 
 309: ##########################################################################
 310: # Display Error Page if Specified Key is not in Data File
 311: ##########################################################################
 312: sub key_error {
 313: &send_mail_badurl;&logerror("Specified Key Not Found");
 314: my $show;
 315: if($in{'img'}){$show = $in{'img'}};
 316: if($in{'url'}){$show = $in{'url'}};
 317: begin_html("Error - Specified Key Not Found");
 318: 
 319: print <<"EOF";
 320: <p><font size="+5"><b><font face="Geneva, Arial, Helvetica, san-serif">
 321: ERROR 404</font></b></font></p><p><font face="Verdana, Arial, Helvetica,
 322:  sans-serif" size="4">URL Location Not Found - <b>$show</b></font></p>
 323: <p>Email the <a href="mailto:$to_email">WebMaster</A> and let them know!</p>
 324: <p>&nbsp;</p>
 325: <p>&nbsp;</p>
 326: <p>&nbsp;</p>
 327: <p><font face="Verdana, Arial, Helvetica, sans-serif" size="-1">
 328:     UberSecure v1.3.0 by <a href="
 329:     mailto:UberDragon13\@Yahoo.com?subject=UberSecure%20v1.3.0%20-%20$thisscript">
 330:     UberDragon13\@Yahoo.com</a></font></p>
 331: EOF
 332: print end_html;
 333: exit;
 334:  }
 335: ##########################################################################
 336: # Display Error Page if Data File is Missing
 337: ##########################################################################
 338: 
 339: sub data_error {
 340: &logerror("Missing Data File at $datafile");
 341: begin_html("Error - Missing Data File");
 342: print <<"EOF";
 343: <p><font size="+5"><b><font face="Geneva, Arial, Helvetica, san-serif">
 344: ERROR 404</font></b></font></p><p><font face="Verdana, Arial, Helvetica,
 345:  sans-serif" size="4">DataFile Not Found - <b>$datafile</b></font></p>
 346: <p>Check your configuration in UberSecure.cgi and verify the file exists
 347:   where the path says it does.</p>
 348: <p>&nbsp;</p>
 349: <p>&nbsp;</p>
 350: <p>&nbsp;</p>
 351: <p><font face="Verdana, Arial, Helvetica, sans-serif" size="-1">
 352:     UberSecure v1.3.0 by <a href="
 353:     mailto:UberDragon13\@Yahoo.com?subject=UberSecure%20v1.3.0%20-%20$thisscript">
 354:     UberDragon13\@Yahoo.com</a></font></p>
 355: EOF
 356: print end_html;
 357: exit;
 358: }
 359: ##########################################################################
 360: # Display Error Page if Access File is Missing
 361: ##########################################################################
 362: 
 363: sub access_error {
 364: &logerror("Missing Access file at $accessfile");
 365: print header;
 366: begin_html("Error - Missing Access List File");
 367: print <<"EOF";
 368: <p><font size="+5"><b><font face="Geneva, Arial, Helvetica, san-serif">
 369: ERROR 404</font></b></font></p><p><font face="Verdana, Arial, Helvetica,
 370:  sans-serif" size="4">AccessFile Not Found  - <b>$accessfile</b></font></p>
 371: <p>Check your configuration in UberSecure.cgi and verify the file exists
 372:   where the path says it does.</p>
 373: <p>&nbsp;</p>
 374: <p>&nbsp;</p>
 375: <p>&nbsp;</p>
 376: <p><font face="Verdana, Arial, Helvetica, sans-serif" size="-1">
 377:     UberSecure v1.3.0 by <a href="
 378:     mailto:UberDragon13\@Yahoo.com?subject=UberSecure%20v1.3.0%20-%20$thisscript">
 379:     UberDragon13\@Yahoo.com</a></font></p>
 380: EOF
 381: print end_html;
 382: exit;
 383: }
 384: ##########################################################################
 385: # Begin the HTML Document
 386: ##########################################################################
 387: sub begin_html {
 388: print start_html(           -title=>$_[0],
 389: 			    -meta=>{'author'=>'UberSecure HTML Generator',
 390: 			            'copyright'=>'copyright 2002 UberSecure'},
 391: 			    -BGPROPERTIES=>$bgproperties,
 392:              -BACKGROUND=>$background,
 393: 			    -BGCOLOR=>$bgcolor,
 394: 			    -TEXT=>$text,
 395: 			    -LINK=>$link,
 396: 			    -VLINK=>$vlink,
 397: 			    -ALIGN=>'center',);
 398: }
 399: ##########################################################################
 400: # Subroutine to help admin encrypt the user file password data
 401: ##########################################################################
 402: sub passwd {
 403:   if ($in{'htname'}) {
 404:    if ($in{'htpass'} ne $in{'htpass2'}) {
 405:       print header;
 406:       begin_html('Password Mismatch');
 407:       print <<"EOF";
 408:       The two passwords you entered DO NOT match!<BR><BR>
 409:       <a href="$thisscript?url=passwd">Click Here</a> To try again.
 410: EOF
 411:       print end_html;
 412:       exit;
 413:    }
 414:    elsif(($in{'htname'}) && ($in{'htpass'})) {
 415:       print header;
 416:       begin_html('Encrypted Results');
 417:       my $htpass = crypt($in{'htpass'}, $salt);
 418:       print <<"EOF";
 419:       Simply Copy/Paste the Encrypted Line to your uberaccess.txt<BR><BR>
 420:       Please NOTE There is no known way to decrypt() this Password!<BR>
 421:       Make sure your User remembers his/her password.<BR><BR>
 422:       Encrypted Access line for <code>User[<u>$in{'htname'}</u>]</code>
 423:       with the <code>password[<u>$in{'htpass'}</u>]</code> is:<BR><BR>
 424:       <h1>$in{'htname'}|$htpass</h1>
 425: EOF
 426:       print end_html;
 427:       exit;
 428:    }
 429:   }
 430:   print header;
 431:   begin_html('Get Encrypted Password');
 432:   print "Fill out this form to produce the encrypted
 433:           password line in your uberaccess.txt<BR>Note: Login Names and
 434:           Passwords are <u>case sensitive</u>!";
 435: 
 436:   print start_form(-method=>'post',
 437: 			    -action=>"$thisscript?url=passwd");
 438: 
 439:   print textfield(-name=>'htname',
 440: 			    -size=>25,
 441: 			    -maxlength=>25),
 442: 			    " Enter Login Name<BR><BR>";
 443: 
 444:   print password_field(-name=>'htpass',
 445: 				-size=>25,
 446: 				-maxlength=>25),
 447: 				" Enter Desired Password<BR><BR>";
 448: 
 449:   print password_field(-name=>'htpass2',
 450: 				-size=>25,
 451: 				-maxlength=>25),
 452: 				" RE-Enter Desired Password<BR><BR>";
 453: 
 454:   print hidden(-name=>'url',
 455: 			     -default=>'passwd');
 456: 
 457: 
 458:   print submit(-name=>'Get Encrypted Line',
 459:     			-value=>'Get Encrypted Line');
 460: 
 461:   print endform, end_html;
 462:   exit;
 463: 
 464: }
 465: 
 466: ##########################################################################
 467: # End of Program
 468: ##########################################################################
 469:

Replies are listed 'Best First'.
Re: UberSecure v1.5.2
by cjf (Parson) on May 13, 2002 at 12:02 UTC
[reply]
Re: lame site security cgi
by davorg (Chancellor) on May 14, 2002 at 07:43 UTC

    Others have commented at great length on the shortcomings of your program, so 'm not going to add to that.

    I'm interested in knowing how you picked up so many bad habits. How did you learn Perl? Did you teach yourself from reading a book? Or did you find a tutorial on the web? Or were you taught by someone who claimed to know Perl, but obviously doesn't?

    I'm very interested in finding out how people learn bad Perl so that we can work on replacing the resources that they use with better ones, so any information that you can give me would be great.

    --
    <http://www.dave.org.uk>

    "The first rule of Perl club is you do not talk about Perl club."
    -- Chip Salzenberg

[reply]
      I have used a large variety of resources to learn perl. This includes books, websites, code snooping etc. I have no formal training, I am taking the same approach I first took with html and with mIRC script. Trial and error. My first program I used strict..

      I had no idea how I would shame myself by not using it and other such things here. Quite honestly I was pleased to get this little program to work, I didn't concentrate on perfect code. Well that is one of the reasons I posted it here. So far I have been given very broad examples of what I have done wrong and I have started looking up these references on perldoc.org.

      Does anyone have any more accute examples for this particular piece of code? Where/how does it need to be improved. I am definately here to learn more about perl, I can see this should not have been posted as a Craft as evidently that is where the guru Monks post their perfectly written code. I apologise for this.

      ~uber
[reply]
        UberDragon13, Welcome to the monastery.

        Here are a few tips for getting the best out of this site. Firstly, you may have found that the code you posted has earned a number of -- points. Don't take this to heart as it's just a (fairly meaningless) number after all.

        There are two tools it would be a good idea how to find out how to use:

        • The Chatterbox (CB). Here, you can ask questions about pretty much anything - they don't even have to be Perl related (but I guess you are already familiar with IRC). The /msg facility is useful for posting a message to an individual off list. This is much better than posting flame, which will earn you considerably more -- votes and lose you more respect than duff code.

          Remember, anything you post as replies is public. Anything sent via /msg is essentially a private conversation.

        • Open up your personal scratchpad. Click on your name, and "Edit your user information". Here is something which is _yours_ and public, but you will not be judged and downvoted on it. It is a good place to post code for review - the worst you will get is sarcasm on the CB.

        Also, have a good look around the site, read the FAQs, do some searches on topics of interest. In particular, check out the links other monks have given you in reply - this will take you to some quit informative articles both inside and outside the site.

        You will find that this is one of, if not the best Perl forum on the Internet.

        rinceWind

[reply]
        I have used a large variety of resources to learn perl. This includes books, websites, code snooping etc.

        The problem is that like just about everything else, 90% of Perl books and Perl tutorial websites are rubbish. One problem that I'm very interested in is how we in the Perl community steer potential Perl converts to all the good information before they find all of the rubbish.

        You've obviously found Perlmonks, which is a good start. I'd also recommend that you look at perl.com and use.perl; on a regular basis.

        As far as books go. The wisdom of the Perl community is gathered in perlfaq2. Try typing perldoc -q book at you command line.

        --
        <http://www.davee.org.uk>

        "The first rule of Perl club is you do not talk about Perl club."
        -- Chip Salzenberg

[reply]
Be Nice To Newbies!
by mt2k (Hermit) on May 16, 2002 at 00:57 UTC
    Okay, I just have a few things to say here...:

    1. Yes, I approved this node when it seems that no one else would. Why? Because if you would look, this is only his 1st post here on perlmonks. This is also his 2nd script as a scripter, and if you ask me, it's not so bad! Maybe insecure, could use a few modules instead of some of that code, makes the screen width a little huge, and could use a general clean up, but that's no reason to put him to -20 (before I ++ him)!
    2. Since when are we so harsh on people new to the perl language? Are we trying to keep the language to ourselves by discouraging others from attempting to learn it? I say bravo Uber! I wish I had been able to create such a script (even if it does need work) on my second try at the language. I believe my first script was a 3-liner or something!
    3. I would like to welcome you to the site UberDragon13 and to the Perl language. I sincerely hope that you are not discouraged by what some people have told you here. Programming is fun and I think that everyone has a right to try it out and learn it! I'd like to see the second script written by those that criticized your skills. Bet theirs weren't so great either.
    4. Like the others (the nicer people) have suggested, do some reading up on some of those modules and learn how they can make life much easier.

    There, that's my 10000 cents.

[reply]
      I sincerely appreciate the kind words from mt2k. No worries though I knew I would draw critism on my usage of code. As a matter of fact I counted on it! :) Even if I had no idea about the rating system.

      I do hope those that have critic'd this program come back to see the changes I have made because of their comments. I have used more of CGI.pm and even figured out how to use crypt(). I have added a feature (?img) and have attempted to clean up code all over (especially in the logging)

      I admit, I still haven't incorporated use strict;. It is not that I haven't tried. I just for some reason can't grasp it. How do I use variables between subroutines. If anyone is bored and has the time to convert this with use strict; including comments on usage I would be most gracious. Ofcourse I don't expect such things, but it may help me to understand its usage better. (before you tell me to read about strict I promise I have read everything at both perldoc.com and perlmonks.org)

      If you are wondering what the code looked like when I first posted just visit here. I hope you can say you see a positive difference in my code. Please feel free to show me a better way to do any of this. Again I am here to learn and learn I shall! :)

      ~uber

      ============================================================
      ....Sometimes life can be as bitter as dragon tears. But whether dragon tears are
      bitter or sweet depends entirely on how each person perceives the taste....
      ============================================================
[reply]
[d/l]
[select]
Re: UberSecure v1.5.2
by Anonymous Monk on May 13, 2002 at 11:35 UTC
    no -T
    no -w or use warnings;
    no use strict;
    hand rolled CGI stuff

    no need to go on...

    "C" for effort
    "F" for execution
[reply]
[d/l]
[select]
      no humor value
      no information content
      no useful pointers
      no manners

      Seriously, why does abusive crap like this get modded up? I can't see it as anything more than a waste of bandwidth. And many of the other posts in this thread are little better -- the pointers to existing modules and resources are certainly useful and appropriate, but there's no need to liven them up with comments like "explain why you suck." Reminds me of the bad parts of usenet sometimes. We can do better.

      /s

[reply]
Re: html/file security cgi
by jynx (Priest) on May 17, 2002 at 01:15 UTC

    hopefully these will help more than hurt...

    (a few random, specific things in no particular order)

    • rather than use an outside time program (/bin/date) you can use localtime. This will avoid a shell call which is usually a Good Thing(tm).
    • never, never, never set a file to 777 permissions. There are too many ways that a universally writeable file can be abused, just don't do it. 644 is better.
    • For your print statements, you can bundle like things by comma-seperating them rather than using individual print statements.
    • You should use cgi's methods for getting the arguments passed to the script. Realizing you're already heard use CGI or die many times, i'll give you a reason: You're not restricting content length. A cracker could easily use that to break into the system. Parsing cgi arguments correctly is very difficult, (ab)using CGI is much easier.
    • It would probably be better to store the single-user password in the access.txt file. Storing passwords is in general a bad idea, but there's only so much you can do to circumvent that problem when doing cgi work (storing them in the script is not a good option)
    • If you can find a way (at a later date) to use a random salt, that would be better than hardcoding one. Much more secure. You can find an example of how to create one on crypt's perldoc page.
    • You don't check to see if you actually opened the log file. What if you failed? Currently you continue as if nothing went wrong. Should you die? Warn others? Whether you fail gracefully or gracelessly, you should do something when you fail...
    • A very minor nit, but possibly useful. Rather than saying:

      if (($in{'name'})&& etc...

      it seems better (monks correct me if i'm wrong) to use exists here:

      if (exists($in{'name'}) && etc...

    • to reiterate a few others, strict and warnings are useful. Also, test your script out on command line before putting it in cgi_bin. That will help clear out a lot of other possible pitfalls early as well...
    • Lastly, @_ is your friend. Argument passing is an excellent thing to learn, and using strict will become much easier once you stop using globals.

    As for coding, don't try to implement a lot of changes at once (assuming you're still making changes). It's just a bad idea (unless you're a real programmer like mel ;-). Whatever changes you plan to implement, make them 1 at a time. And if you can stomach it, you should probably post the next (major) revision to Seekers of Perl Wisdom if you plan on asking for further advice. You'll probably receive more help there.

    jynx

[reply]
[d/l]
[select]
Re: UberSecure v1.5.2
by vladb (Vicar) on May 13, 2002 at 17:24 UTC
    Pardon me, but the code seems to be a work of a rookie 'hacker wannabe'.

    This shows both from the code itself (to mention a few points, your methods -- which are nothing but a poor remake of CGI -- to process cookies are simply not adequate) and the language form used. Spelling 'through' as 'thru' is simply wrong and perceived as a poor gesture. Also, is there anything about your use of the word 'Uber'?

    Don't take me wrong, but I can't even start to think of your code as being a serious attempt at anything other than 'l33t' hacker-dom.

    For one, you should have at least refrained from reinventing the wheel and use these excellent modules already written eons ago and thoroughly tested by multitude current and past users:
    • HTML::Template
    • CGI
    At least this would have given me the impression that you have some knowledge of decent Perl tools and therefore is not a rookie.

    UPDATE: Oops, pardon my mentioning of 'work of a 13-year old ...'. as particle kindly pointed out, this wasn't entirely appropriate. (Besides, I too started out programming at a very young age; I'm also sure there are some brilliant young coders out there who I personally know and appreciate their efforts)

    UPDATE 1: In reply to UberDragon13's responce.. Sorry, I didn't mean to offend you. Certainly, I'll be more than willing to help with whatever questions you might have. I think proper place for your code would rather be in the discussion forums. By posting your code here, I assumed you were willing to expose it to fair criticism. Also, again, the language you've used in your comments etc. wasn't particularly mature. However, this is a mute point anyways ;).
    "There is no system but GNU, and Linux is one of its kernels." -- Confession of Faith
[reply]
      Well, you certainly have pegged me.
      I am definately a rookie, but eager to learn. This is only my second perl/cgi program. I do not know all of the modules available or even how to use them.. But I am learning through trial and error and that is why I decided to post my lame code here.

      To get input, opinions and suggestions to better ways. If you can show me ways to improve this particular program to excellent perl code. I will learn from it and be able to apply this knowledge to my next attempt. Thanks

      (btw) Uber is a german word meaning super

      ~UberDragon13
[reply]

        Hello, just a few suggestions to help you improve upon this code:

        • use CGI or die; - A few reasons why you should use the CGI.pm module instead of rolling your own.
        • Using strict.pm will save you a lot of time down the road.
        • As I pointed out earlier, make sure to read up on security. If you only remember one thing, make sure it's Don't Trust User Input.
        • Add the -w flag (or use warnings;) to enable warnings. They'll help you catch silly mistakes and reduce your debugging time.

        For added points, remove the "Do not edit without permission." statement. If you're posting code to get advice on how to improve it, the least you can do is allow others to use and modify it.

        Other minor annoyances:

        • The title - "UberSecure" this script isn't. Not by any stretch of the imagination. When you're learning and unsure of a script's quality, better to stick with a different title.
        • Version number - I'm curious where "Version 1.5.2" came from. This number shouldn't just be picked out of the air, it should be representative of the stability of the code. Read the Software Release Practice HOWTO for more details on good release practices.

        Hope this helps and best of luck with your future postings :).

[reply]
[d/l]

Back to Craft