I am using the following code to validate a user:
$valid_user = '0';
$ref_file = "$path{'data'}/users.txt";
open (DAT, "$ref_file");
flock(DAT,2);
while (<DAT> ) {
chomp;
(@temp_user) = split /::/;
$salt = substr($INPUT{'password'}, 0, 2);
$encrypted = crypt($INPUT{'password'},$salt);
if ($INPUT{'userid'} eq "$temp_user[0]" && $encrypted eq "$temp_user[1]") {
$valid_user = '1'; last;
}
}
close(DAT);
When I use the above code, as long as I have the password correct, I can append anything after the password and it will still be accepted. Is there something wrong with my logic above? For example: if my password is "johndoe", I can enter any of the following as a password and it will be accepted: "johndoe", "johndoe7", "johndoej;ajd;kjdfk", well, you get the idea.
Any insight will be greatly appreciated. Otherwise, I will just have to test against length of the input I guess :(
Thanks
$valid_user = '0';
$ref_file = "$path{'data'}/users.txt";
open (DAT, "$ref_file");
flock(DAT,2);
while (<DAT> ) {
chomp;
(@temp_user) = split /::/;
$salt = substr($INPUT{'password'}, 0, 2);
$encrypted = crypt($INPUT{'password'},$salt);
if ($INPUT{'userid'} eq "$temp_user[0]" && $encrypted eq "$temp_user[1]") {
$valid_user = '1'; last;
}
}
close(DAT);
When I use the above code, as long as I have the password correct, I can append anything after the password and it will still be accepted. Is there something wrong with my logic above? For example: if my password is "johndoe", I can enter any of the following as a password and it will be accepted: "johndoe", "johndoe7", "johndoej;ajd;kjdfk", well, you get the idea.
Any insight will be greatly appreciated. Otherwise, I will just have to test against length of the input I guess :(
Thanks
