CGI/Perl Guide | Learning Center | Forums | Advertise | Login
Site Search: in

  Main Index MAIN
INDEX
Search Posts SEARCH
POSTS
Who's Online WHO'S
ONLINE
Log in LOG
IN

Home: Perl Programming Help: Beginner:
Problem login script

 



zak100
User

Oct 28, 2013, 10:04 AM

Post #1 of 2 (702 views)
Problem login script Can't Post

Hi,
I have written following perl code:

Code
#!C:/Perl64/bin/perl.exe 
use DBI;
use CGI;

$cgi = new CGI;

##Create table using cgi
$dbh = DBI->connect("dbi:mysql:TestDB", 'root','zulfi12345') or die "Unable to connect: $DBI::errstr\n";

$username = $cgi->param( 'username' ) || '';
$password = $cgi->param ('password') || '';
$submit = $cgi->param( 'submit' ) || '';

$sth = $dbh->prepare("SELECT username, password FROM users WHERE username =$username and password=$password");
$sth->execute();
$found=0;
while($row = $sth->fetchrow_hashref) {
$found=1;
}
if ($found==1){
print "Welcome";}

Its giving me following error:

Quote
D:\Zulfi\PERL MAIN FOLDER>perl login.pl
DBD::mysql::st execute failed: You have an error in your SQL syntax; check the m
anual that corresponds to your MySQL server version for the right syntax to use
near 'and password=' at line 1 at login.pl line 15.
DBD::mysql::st fetchrow_hashref failed: fetch() without execute() at login.pl li
ne 17.


Somebody plz help me in this regard.

Zulfi.

Quote



Zhris
Enthusiast

Oct 29, 2013, 10:49 AM

Post #2 of 2 (662 views)
Re: [zak100] Problem login script [In reply to] Can't Post

Hey,

Never interpolate variables, especially those that have come from an untrusted source, directly in an SQL statement. You have opened yourself up to SQL injection attacks. I haven't tested, but I believe the error is down to not having quotes around the values. Here is an improvement:


Code
$sth = $dbh->prepare("SELECT username, password FROM users WHERE username = ? and password = ?");  
$sth->execute($username, $password);


Chris


(This post was edited by Zhris on Oct 29, 2013, 10:52 AM)

 
 


Search for (options) Powered by Gossamer Forum v.1.2.0

Web Applications & Managed Hosting Powered by Gossamer Threads
Visit our Mailing List Archives