Hi,
So I'm trying to write something where the owner of a website can log in to a website that is inaccessible to anyone else and this site would allow easy site upkeep without any real knowledge of html. I'm pretty clueless as to how to do this with any real security.

I figure for the login page I can just have a perl script look in a MySQL database to match the username and password which should be ok security-wise. But how would I be able to have a page where the only way you can access it is that you typed in the correct username and password on this previous page, even if someone just randomly types in the address for that page?

I know this is probably pretty easy, but I'd appreciate any nudges in the right direction.

Thanks a lot

The way to do this is to have perl print out a different page under different conditions, ie:

if($loggedin){

if($updatepage){

# connect to database, update page

print "updated page"

}else{

# update page interface

}

}else{

# do login

}

As for handling the username and password then:

my $dsn = 'DBI:mysql:database:localhost';
my $db_user_name = 'user';
my $db_password = 'pass';
my ($id, $password);
my $dbh = DBI->connect($dsn, $db_user_name, $db_password);

sub authenticate{

# try to prevent SQL Injection

if($_[0] =~ /\W/ || lc($_[0]) =~ /select/ || lc($_[0]) =~ /insert/ || lc($_[0]) =~ /where/ || lc($_[0]) =~ /from/){

print "bad login";

exit(0);

}

if($_[1] =~ /\W/ || lc($_[0]) =~ /select/ || lc($_[0]) =~ /insert/ || lc($_[0]) =~ /where/ || lc($_[0]) =~ /from/){

print "bad login";

exit(0);

}

# Prepare the query

my $sth = $dbh->prepare(qq{

SELECT password FROM users WHERE username = ? --

});

$sth->execute($_[0]); # execute the query

my @resultset = $sth->fetchrow_array();

if($resultset[0] eq ""){

print "bad login";

exit(0);

}

if($_[1] eq $resultset[0]){

return 1;

}else{

print "Bad login";

exit(0);
}
}

if(authenticate(param("username"), param("password"))){
# do logged in stuff
}else{
# display bad login page
}


This is all really basic to what it should be but you should get the point. I don't know how secure mySQL databases are and whether you should encrypt the password or not.

If so then:

# When adding a username:

sub generate_salt{

my @list = ("a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z","A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z","0","1","2","3","4","5","6","7","8","9");

return $list[int(rand(63))] . $list[int(rand(63))];

}

my $encrypted_password = crypt($password, generate_salt());

# Compare encryptions

if(crypt($password, substr($encrypted_password, 0, 2)) eq $encrypted_password){
# Matches!
}else{
# Doesn't match
}

I hope this points you in the right direction.

By the way, I am doing somehting similar for the company that I work for, I might be able to send you a copy once it is finished.

Regards

Carl

Thanks a bunch... This helped me out so much. So far I have the username and password working so I think I should be able to get the editable page thing I'm thinking about to work now.

Douglas