Hello,
I had tried to secure the modify using a password system.
What I did is:
- Add a password field in db
- Modify modify.cgi
....
sub process_form {
......
# Make sure we have a link to modify.
!$in{'Current URL'} and !$in{'Password'} and &site_html_modify_failure ("did not specify link to modify") and return;
# Let's check to make sure the link we want to update is actually
# in the database.
open (DB, "<$db_file_name") or &cgierr("error in validate_records. unable to open db file: $db_file_name. Reason: $!");
$found = 0;
LINE: while (<DB> ) {
(/^#/) and next LINE;
(/^\s*$/) and next LINE;
chomp;
@data = &split_decode($_);
if ($data[$db_url] eq $in{'Current URL'}) and ($data[$db_password] eq $in{'Password'}) {
$in{$db_key} = $data[0];
$found = 1;
%original = &array_to_hash (0, @data);
last LINE;
}
}
close DB;
!$found and &site_html_modify_failure ("link was not found or password is not correct") and return;
.......
This will work. However, I got some other problem in this method.
- The modify process still need to vaildate by admin. I think this process can omit as it already checked the user password.
- The password is still in clear text in db (this is a minor problem)
Anyone got any comments on these?
Thanks,
Asterisk
I had tried to secure the modify using a password system.
What I did is:
- Add a password field in db
- Modify modify.cgi
....
sub process_form {
......
# Make sure we have a link to modify.
!$in{'Current URL'} and !$in{'Password'} and &site_html_modify_failure ("did not specify link to modify") and return;
# Let's check to make sure the link we want to update is actually
# in the database.
open (DB, "<$db_file_name") or &cgierr("error in validate_records. unable to open db file: $db_file_name. Reason: $!");
$found = 0;
LINE: while (<DB> ) {
(/^#/) and next LINE;
(/^\s*$/) and next LINE;
chomp;
@data = &split_decode($_);
if ($data[$db_url] eq $in{'Current URL'}) and ($data[$db_password] eq $in{'Password'}) {
$in{$db_key} = $data[0];
$found = 1;
%original = &array_to_hash (0, @data);
last LINE;
}
}
close DB;
!$found and &site_html_modify_failure ("link was not found or password is not correct") and return;
.......
This will work. However, I got some other problem in this method.
- The modify process still need to vaildate by admin. I think this process can omit as it already checked the user password.
- The password is still in clear text in db (this is a minor problem)
Anyone got any comments on these?
Thanks,
Asterisk