Re: pass values to another scipt
> Hi all. > > This is what i've done: > - I've created a table which allows to manage "sessions" (see code below). > - The script which validates users creates a "session_id". I pass this token as a >hidden field to scripts in order to validate user's data every time. > This works like this: Users enter their ID and password, and the page calls the >script which checks user data and creates a session ID. Once the user has been >checked against > the database, the work page is displayed. Each action the user takes calls a cgi >script with the session ID field as a hidden value. Scripts use the session_ID field >to retrieve > user's data from the database and perform whichever action the user asked for. > > Here is part of the code: > > *Read parameters* > #lectura de parametros del form > foreach ($cgi->param()) { > $cgi->param($_,uc($cgi->param($_))); > } > > > $legajo = $cgi->param('legajo'); > $password = $cgi->param('password'); > * > - Check user data* > ## conectar a la base de datos -- > > my $dbh = DBI ->connect("dbi:$driver:dbname=$base_datos",$usuario,$clave) > ||die "no se puede abrir la base: $base_datos $DBI::errstr\n"; > > CONSULTAR Datos Usuario- > my $sth=$dbh->prepare("SELECT * FROM usuarios WHERE legajo='$legajo';"); > > $sth->execute(); > > my $existe=$sth->rows(); > > #extraccion de datos > if ($existe) > { > @usuariosis = $sth->fetchrow_array(); > } else > { > print $cgi->header('text/html'); > print $cgi->start_html(); > print $cgi->h1("Error en usuario"); > print "Volver"; > exit; > } > $sth->finish(); > > $grupo = $usuariosis[3]; > $codigo = ($resguardos{$legajo}?$_:"770"); > $tiporesg = $tipores{$codigo}; > > $_ = $usuariosis[6]; > s/ //g; > $usuariosis[6]=$_; > > > if (crypt($password, $usuariosis[6]) ne $usuariosis[6]){ > print $cgi->header('text/html'); > print $cgi->start_html(); > print $cgi->h1("Error en clave"); > print "Volver"; > exit; >} > else { > $session = generar_id(); > > $dbh->do ("insert into conexion values ('$legajo', > '', > '$fecha', > '$horaacceso', > '$grupo', > '$codigo', > '$tiporesg', > '$session');");*#This inserts a record into the >"conexion" table for session tracking* > > #Genera página de trabajo > > print $cgi->header (-type=>"text/html", > -target=>"abajo"); > print $cgi->frameset({-border=>'1', -frameSpacing=>'1', > -cols=>'200,*', -frameBorder=>'1'}, > >$cgi->frame({-name=>'iab',-src=>'trabajo.plx?sesion='.$session}),*#This calls the >main work page* > >$cgi->frame({-name=>'derecha',-src=>'/blank.html'}) > ); > > } > > $cgi->end_html; > $dbh->disconnect(); > > > *This sub generates the session ID* > sub generar_id{ > return sprintf("%08.8x",rand()*0x); > } > > > I hope this helps. > I am new to perl so check the code for security issues. > > Pablo A. Castrillo > > > Reposting in plain text format. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: pass values to another scipt
Secure?? Have you guys been paying attention to the Matt's Script Archive discussion? You can pass along parameters between pages either in the URL or as hidden fields, but NEITHER IS REALLY SECURE!! The hidden fields only stymie the newbies. :-) Anyone could just save the form to their hard drive, modify the hidden field values there, and submit that version. If the server script thinks it need only check the referer variable to get around this, the hacker can submit their modified page with their own client, setting the referer field to whatever they want. True, it's nicer not seeing them in the URL, but it's not that much more secure. I recommend Chapter 8 of O'Reilly's "CGI Programming with Perl" for a thorough discussion of CGI security issues. - John --- David vd Geer Inhuur tbv IPlib <[EMAIL PROTECTED]> wrote: > > Hi Sven, > > Sorry, I thought you knew that one. > > But how to proceed if you don't want those > ugly/insecure params in your location bar ? > > ... snip ... > > > > > > > > > ... snip ... = "When you're following an angel, does it mean you have to throw your body off a building?" - They Might Be Giants, http://www.tmbg.com Word of the week: Serendipity, see http://www.bartleby.com/61/93/S0279300.html __ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: pass values to another scipt
> Hi Sven, > > Sorry, I thought you knew that one. > > But how to proceed if you don't want those ugly/insecure > params in your location bar ? Use a form and an input type="image" HTH, -dave -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: pass values to another scipt
Hi Sven, Sorry, I thought you knew that one. But how to proceed if you don't want those ugly/insecure params in your location bar ? Regs David > > Ok, i found out how to pass a few arguments to the other script: > > href="collectformdata.cgi?action=fetch&f_name=$f_name&f_surname=$f_surname" > > Update> > The only problem I have left is that the variables are not passed on. > Once I put names in there, it works just fine, but I do need those > variables to work. > if I would get any tips on this I'd really appreciate it > > Sven > On Tuesday, May 14, 2002, at 04:36 PM, David vd Geer Inhuur tbv IPlib > wrote: > > > > > Hi All, > > > > I am currently having the same problems as Sven. I tried to get some > > info on it as > > wel, but it seems a difficult one. > > I have made a simple example to explain it a little : > > > > HTML-CODE: > > --- > > > > > > > > > > > > > > please enter your First name > name=userid> > > Please enter your Last name > name=pw> > > Please try this one > > > > > > > > > > -- > > > > Perl-script: > > --- > > #!/user/cadiclab/bin/perl > > > > use CGI qw(:standard); > > > > $first = param('userid'); > > $last = param('pw'); > > $hide1 = param('hide1'); > > $hide2 = param('hide2'); > > > > print header, > > start_html(-BGCOLOR=>"#99"), > > start_form; > > > > print "Hallo userid: $first with password: $last "; > > print "Hidden fields are; Field1: $hide1 Field2: $hide2 > > "; > > > > print end_form, > > hr; > > -- > > > > Ones I hit the submit button the cgi-script does it all for me. > > He tells me who I am and he prints the hidden fields. > > > > Ones I hit the the params are not read within my cgi-script ? > > Not the input type=text and not the input type=hidden. > > > > Is there a way to get this working ? > > > > Any other solutions to a more secure way of solving this are welcome > > too ! > > > > > > P.S.: I need the links to browse through directory's and do stuff with > > it. > > A submit button instead of a does not look very fancy :) > > > > > > Best Regards, > > > > David van der Geer > > > >> > >> Hi! > >> > >> I am using one script to secure the members area and offer several > >> search functions for am mysql database. another script offers the > >> possibility to update data in this database. Botth scripts require the > >> user to ennter name, lastname and password. > >> Now I want to enable the user to get straight to the update function > >> without having to enter name, lastname and password (he already entered > >> one time) again. > >> > >> How can I pass those already collected values on to another script > >> using > >> a link (a href)? > >> Or how can i do that at all? > >> > >> Thanks for your help, > >> > >> Sven > > > > > -- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: pass values to another scipt
David vd Geer Inhuur tbv IPlib wrote: > #!/user/cadiclab/bin/perl > > use CGI qw(:standard); > > $first = param('userid'); > $last = param('pw'); > $hide1 = param('hide1'); > $hide2 = param('hide2'); > > print header, > start_html(-BGCOLOR=>"#99"), > start_form; > > print "Hallo userid: $first with password: $last "; > print "Hidden fields are; Field1: $hide1 Field2: $hide2 "; this is dangerous! you are taking user input and printing it directly to the browser without any html escaping! please read this: http://www.perl.com/pub/a/2002/02/20/css.html as for your question - have you tried using .htaccess? -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: pass values to another scipt
Ok, i found out how to pass a few arguments to the other script: Update The only problem I have left is that the variables are not passed on. Once I put names in there, it works just fine, but I do need those variables to work. if I would get any tips on this I'd really appreciate it Sven On Tuesday, May 14, 2002, at 04:36 PM, David vd Geer Inhuur tbv IPlib wrote: > > Hi All, > > I am currently having the same problems as Sven. I tried to get some > info on it as > wel, but it seems a difficult one. > I have made a simple example to explain it a little : > > HTML-CODE: > --- > > > > > > > please enter your First name name=userid> > Please enter your Last name name=pw> > Please try this one > > > > > -- > > Perl-script: > --- > #!/user/cadiclab/bin/perl > > use CGI qw(:standard); > > $first = param('userid'); > $last = param('pw'); > $hide1 = param('hide1'); > $hide2 = param('hide2'); > > print header, > start_html(-BGCOLOR=>"#99"), > start_form; > > print "Hallo userid: $first with password: $last "; > print "Hidden fields are; Field1: $hide1 Field2: $hide2 > "; > > print end_form, > hr; > -- > > Ones I hit the submit button the cgi-script does it all for me. > He tells me who I am and he prints the hidden fields. > > Ones I hit the the params are not read within my cgi-script ? > Not the input type=text and not the input type=hidden. > > Is there a way to get this working ? > > Any other solutions to a more secure way of solving this are welcome > too ! > > > P.S.: I need the links to browse through directory's and do stuff with > it. > A submit button instead of a does not look very fancy :) > > > Best Regards, > > David van der Geer > >> >> Hi! >> >> I am using one script to secure the members area and offer several >> search functions for am mysql database. another script offers the >> possibility to update data in this database. Botth scripts require the >> user to ennter name, lastname and password. >> Now I want to enable the user to get straight to the update function >> without having to enter name, lastname and password (he already entered >> one time) again. >> >> How can I pass those already collected values on to another script >> using >> a link (a href)? >> Or how can i do that at all? >> >> Thanks for your help, >> >> Sven > -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]