Home : Products : DBMan SQL : Discussion :

Products: DBMan SQL: Discussion: Re: [ltillner] upgrade from dbman to dbmansql 1: Edit Log

Here is the list of edits for this post
Re: [ltillner] upgrade from dbman to dbmansql 1
Modified sub signup (for the secure password lookup mod).

I noticed a few problems with the signup subroutine:

1. Emails were sent out with username & generated passwords, no matter what.

2. The previous mod didn't check for duplicate emails.

3. Logging in with username not on file logged you in without any permissions. The fix for that can be found by searching the forums for "login" (should be the first one that comes up). There's a couple of things to change in the auth.pl file.

Replace original sub signup routine with this:

sub signup {
# --------------------------------------------------------
# Allows a user to sign up without admin approval. Must have $auth_signup = 1
# set. The user gets @default_permissions.
#
my ($message,$userid, $pw, $view, $add, $del, $mod, $admin, $email, $password);

# Check to make sure userid is ok, pw ok, and userid is unique.
unless ((length($in{'userid'}) >= 3) and (length($in{'userid'}) <= 20) and ($in{'userid'} =~ /^[a-zA-Z0-9]+$/)) {
$message = "Invalid userid: $in{'userid'}. Must only contain only letters and be less then 20 and greater then 3 characters.";
}

unless ($in{'email'} =~ /.+\@.+\..+/) {
$message = "Invalid email address format: '$in{'email'}'.";
}


if ($message) {
&html_signup_form($message);
return;
}

my @salt_chars = ('A' .. 'Z', 0 .. 9, 'a' .. 'z', '.', '/');
$in{'pw'} = crypt($in{'pw'}, join '', @salt_chars[rand 64, rand 64]);

my $username_q = $DBH->quote($in{'userid'});
$in{'pw'} = &generate_password;
my @salt_chars = ('A' .. 'Z', 0 .. 9, 'a' .. 'z', '.', '/');
my $salt = join '', @salt_chars[rand 64, rand 64];
my $encrypted = crypt($in{'pw'}, $salt);
my $password_q = $DBH->quote($encrypted);
my $email_q = $DBH->quote($in{'email'});
my $permission = join (",", @auth_signup_permissions);

$query = qq!
SELECT * FROM $db_table_user
WHERE username = $username_q OR Email = $email_q
!;
my $sth = $DBH->prepare ($query) or &cgierr("Unable to query database. Reason: $DBI::errstr. Query: $query");
$sth->execute or &cgierr("Unable to query database. Reason: $DBI::errstr. Query: $query");
if ($sth->rows) {
$message = "Username or email address already exists. Please try another.";
}

else {


$query = qq!
INSERT INTO $db_table_user (username, password, Email, per_view, per_add, per_del, per_mod, per_admin)
VALUES ($username_q, $password_q, $email_q, $permission)
!;
$DBH->do ($query) or ($message = "Username $username_q already exists. Please try another.");


open (MAIL, "$mailprog") || &cgierr("Can't start mail program");
print MAIL "To: $in{'email'}\n";
print MAIL "From: $admin_email\n";
print MAIL "Subject: $html_title Account Created\n\n";
print MAIL "-" x 75 . "\n\n";
print MAIL "Your account at $html_title has been created.\n\n";
print MAIL "Your $html_title User ID is: $in{'userid'}\n";
print MAIL "Your $html_title password is: $in{'pw'}\n\n";
print MAIL "Please keep this email for future reference.\n\n";
print MAIL "To log on, go to\n\n";
print MAIL "$db_script_url?db=$db_setup\n";
print MAIL "and enter your User ID and password.\n\n";
print MAIL "Please contact $html_title support at: $admin_email\n";
print MAIL "if you have any questions.\n\n";
close (MAIL);

}
$sth->finish;

$message ?
&html_signup_form ($message) :
&html_signup_success();
}


NOTE: I wasn't sure how to get it to work to show either username or e-mail address already exsists, so at this time it displays this message:

"Username or email address already exists. Please try another."

There's probably something that can be done different with this:

SELECT * FROM $db_table_user
WHERE username = $username_q OR Email = $email_q
my $sth = $DBH->prepare ($query) or &cgierr("Unable to query database. Reason: $DBI::errstr. Query: $query");
$sth->execute or &cgierr("Unable to query database. Reason: $DBI::errstr. Query: $query");
if ($sth->rows) {
$message = "Username or email address already exists. Please try another.";
}

This seems to work for checking for duplicates for either username or email, so I guess as long as it's doing that, then no worries.

I still plan on working on the "change email", "change password", "private mailer" and "Validate Records" mods. Maybe eventually these mods can be added somewhere so it'll be easier to find the changes. Wink *hint hint*


DBMan SQL Version 1 mods available at:
http://dbmansqlmods.rainbowroomies.com
(Mods based on JPDeni's original mods.)

Last edited by:

shann123: Mar 2, 2004, 3:25 AM

Edit Log: