CGI/Perl Guide | Learning Center | Forums | Advertise | Login
Site Search: in

  Main Index MAIN
INDEX 		Search Posts SEARCH
POSTS 		Who's Online WHO'S
ONLINE 		Log in LOG
IN

Home: Perl Programming Help: Beginner:
Problem login script

 


zak100
User

Oct 28, 2013, 10:04 AM

Post #1 of 2 (713 views)
Problem login script Can't Post
Hi,
I have written following perl code:
Code
#!C:/Perl64/bin/perl.exe 
use DBI; 
use CGI; 
 
$cgi = new CGI; 
 
##Create table using cgi 
$dbh = DBI->connect("dbi:mysql:TestDB", 'root','zulfi12345') or die "Unable to connect: $DBI::errstr\n"; 
 
$username = $cgi->param( 'username' ) || ''; 
$password = $cgi->param ('password') || ''; 
$submit = $cgi->param( 'submit' ) || ''; 
 
$sth = $dbh->prepare("SELECT username, password FROM users WHERE username =$username and password=$password"); 
$sth->execute(); 
$found=0; 
while($row = $sth->fetchrow_hashref) { 
$found=1; 
} 
if ($found==1){ 
print "Welcome";}
Its giving me following error:
Quote
D:\Zulfi\PERL MAIN FOLDER>perl login.pl
DBD::mysql::st execute failed: You have an error in your SQL syntax; check the m
anual that corresponds to your MySQL server version for the right syntax to use
near 'and password=' at line 1 at login.pl line 15.
DBD::mysql::st fetchrow_hashref failed: fetch() without execute() at login.pl li
ne 17.
Somebody plz help me in this regard.

Zulfi.
Quote


Zhris
Enthusiast

Oct 29, 2013, 10:49 AM

Post #2 of 2 (673 views)
Re: [zak100] Problem login script [In reply to] Can't Post
Hey,

Never interpolate variables, especially those that have come from an untrusted source, directly in an SQL statement. You have opened yourself up to SQL injection attacks. I haven't tested, but I believe the error is down to not having quotes around the values. Here is an improvement:

Code
$sth = $dbh->prepare("SELECT username, password FROM users WHERE username = ? and password = ?");  
$sth->execute($username, $password);
Chris


(This post was edited by Zhris on Oct 29, 2013, 10:52 AM)

 
 


Search for (options) Powered by Gossamer Forum v.1.2.0

Web Applications & Managed Hosting Powered by Gossamer Threads
Visit our Mailing List Archives