[PERL]Gunz Register Page 2010

[Tyggo]

On my Perl endeavors, and out of boredom, I whipped up an example register page.
It has basic checking, anti-sql, repitition check, and faulty character check.
It only saves the info to a text file, as it is just an example.

(lol: Don't fucking whine and cry about CGI being outdated, or if you don't know how to use it, google it.)

Code:

use CGI;
my$q=new CGI;
#HTML PARAMS#
my $user=$q->param("user");
my $password=$q->param("password");
my $email=$q->param("email");

sub fieldChecking(){
    $fullInfo=join"",$user,$password,$email;
    unless($fullInfo=~m/1/ or m/2/ or m/3/ or m/4/
        or m/5/ or m/6/ or m#7# or m!8! or m(9)){
        fail("Get more secure pl0x.");
        }
    unless($fullInfo=~m(qw!INSERT DELETE TABLE SELECT USER PASSWORD UPDATE UNION!)){
    fail("No SQL plz.");
    }
    unless($fullInfo=~m(qw/.(()#)!.][`'~=-\.,/); {
    fail("no weird chars plz.");
    }
    &existcheck;
}
&fieldChecking;
sub existcheck(){
    open (ACCOUNTS,">accounts.txt");
    my @lines=<ACCOUNTS>;
    @lines=sort(@lines);
    my $line;
    foreach $line (@lines) {
        if ($line=~m/$email/) {
        fail("OMG YOU ALREADY REGISTERED!");
        }
    }
    close(ACCOUNTS);
    writeit($user,$password,$email);
}
sub fail($x){
    print $q->header("text/html"),$q->start_html("Uhm..."),$q->h1($x),$q->end_html();
    die"uhmya..";
}
sub writeit($x,$y,$z){
    open (ACCOUNTS,">accounts.txt");#appending#
    print ACCOUNTS "\n","$user\n","$password\n","$email\n";
    close(ACCOUNTS);
    print $q->header("text/html"), $q->start_html("SUCCESS!"),$q->h1("SUCCESS!"),$q->end_html();
    die "WIN!";
}

Pastie link:
http://pastie.org/983472


[Mini-Tut] Linking with HTML

Code:

<HTML>
<title>Example Register Page w/ CGI & Perl! by Vengeance</title>
<body>
<FORM ACTION="RegisterCGI.cgi" METHOD="POST">
<div align="center">
<p>
<h2> Register Page </h2>
Username: <INPUT TYPE="text" NAME="user" SIZE="12" MAXLENGTH="15"><br>
Password: <INPUT TYPE="password" NAME="password" SIZE="12" MAXLENGTH="15"><br>
Email: <INPUT TYPE="text" NAME="email" SIZE="12" MAXLENGTH="25"><br>
</p>
<HR>
<INPUT TYPE="SUBMIT" VALUE="Submit!">
<br><br>
<h3>Register Page and Perl script coded by Vengeance!</h3>
</div>
</FORM>
</body>
</HTML>

[MentaL]

[hotgame]

8/10 very nice.

[streamline]

Hm look nice.

8/10 =]

[corrado]

Gratz

[Number12]

Very nice. Is thie the latest anti-sql?

[AllahAkbar]

lol perl ? why perl

we have php = best

5/10

[Arcelor]

Sorry lmfao. I fell asleep while reading that,
Thanks but no thanks, there isn't a thanks button XD.

1. Your submission could not be processed because you have logged in since the previous page was loaded.

Please reload the window.

[Guy]

On my Perl endeavors, and out of boredom, I whipped up an example register page.
It has basic checking, anti-sql, repitition check, and faulty character check.
It only saves the info to a text file, as it is just an example.

(lol: Don't fucking whine and cry about CGI being outdated, or if you don't know how to use it, google it.)

The anti-SQL injection function is a joke.

If you're going to sanitize data, just escape the single colons, nothing more, nothing less.

And why Perl? PHP is just as suited, and it's found in much more widespread use.

And why sanitize for "bad characters"? Just sanitize for anything other than a-zA-Z0-9.

[Tyggo]

1. The anti-SQL injection function is a joke.

2. If you're going to sanitize data, just escape the single colons, nothing more, nothing less.

3. And why Perl? PHP is just as suited, and it's found in much more widespread use.

4. And why sanitize for "bad characters"? Just sanitize for anything other than a-zA-Z0-9.

1. k. woo. Get it Guy! You rock!
2. k.
3. Because I felt like it, who cares if it's more widespread?
4. Because that's the way I did it.

[Mambo]

With all respect, you are bad at HTML.

You aren't using XHTML are you? And you are missing alot of tags (like head)

[Guy]

1. k. woo. Get it Guy! You rock!
2. k.
3. Because I felt like it, who cares if it's more widespread?
4. Because that's the way I did it.

1. You're supposed to just escape single quotes, what you do could create problems:

Code:

unless($fullInfo=~m(qw!INSERT DELETE TABLE SELECT USER PASSWORD UPDATE UNION!)){

Those are just some VERY basic SQL keywords, but there's plenty more I could use to cause damage; DROP, TRUNCATE, GRANT, REVOKE, CREATE, etc..

2. k.

3. Because there's no good reason to use Perl other than "I felt like it"; it's slower when used as a CGI module than PHP and less popular.

4. There's no security-related reason to do so; just convert tags to its HTML entities and escape single quotes and you've taken care of XSS and SQL injection.

5. Your provided page isn't compliant with any sort of standard (As pointed out already, XHTML or otherwise; no DTD is specified).

Code:

sub writeit($x,$y,$z){
    open (ACCOUNTS,">accounts.txt");#appending#
    print ACCOUNTS "\n","$user\n","$password\n","$email\n";
    close(ACCOUNTS);
    print $q->header("text/html"), $q->start_html("SUCCESS!"),$q->h1("SUCCESS!"),$q->end_html();
    die "WIN!";
}

6. What's the point in using a file list to handle registration? Flooding with file IO requests would be easy since you don't have any CAPTCHA either, for one. For two, now the administrator must process this file list when adding users to the database, which you could do directly using Perl.


You don't even touch the database and you call this a registration script? lmao, why even check for SQL injection attempts?

[Tyggo]

1. You're supposed to just escape single quotes, what you do could create problems:

Code:

unless($fullInfo=~m(qw!INSERT DELETE TABLE SELECT USER PASSWORD UPDATE UNION!)){

Those are just some VERY basic SQL keywords, but there's plenty more I could use to cause damage; DROP, TRUNCATE, GRANT, REVOKE, CREATE, etc..

2. k.

3. Because there's no good reason to use Perl other than "I felt like it"; it's slower when used as a CGI module than PHP and less popular.

4. There's no security-related reason to do so; just convert tags to its HTML entities and escape single quotes and you've taken care of XSS and SQL injection.

5. Your provided page isn't compliant with any sort of standard (As pointed out already, XHTML or otherwise; no DTD is specified).

Code:

sub writeit($x,$y,$z){
    open (ACCOUNTS,">accounts.txt");#appending#
    print ACCOUNTS "\n","$user\n","$password\n","$email\n";
    close(ACCOUNTS);
    print $q->header("text/html"), $q->start_html("SUCCESS!"),$q->h1("SUCCESS!"),$q->end_html();
    die "WIN!";
}

6. What's the point in using a file list to handle registration? Flooding with file IO requests would be easy since you don't have any CAPTCHA either, for one. For two, now the administrator must process this file list when adding users to the database, which you could do directly using Perl.


You don't even touch the database and you call this a registration script? lmao, why even check for SQL injection attempts?

I said in my first post I didn't use SQL because it was an example of how to use CGI. xD

If you want, use the DBI module, you could use Net::MySQL, but DBI is a database independent module, it's functions work for any database, which is pretty cool.

And the point of using a file is to save registration info, duh, Guy, you know this!

I suppose thanks for the SQL advice, but I mean, all you'd have to add was a single quote in the bad character list. (Added in the main post)

[Arcelor]

Posted via Mobile Device

[DeathniteR]

Posted via Mobile Device

imba post :S fix ur mobile?

anyways good job something new for a change.
not very good at this more into php ;)

[Guy]

I said in my first post I didn't use SQL because it was an example of how to use CGI. xD

If you want, use the DBI module, you could use Net::MySQL, but DBI is a database independent module, it's functions work for any database, which is pretty cool.

And the point of using a file is to save registration info, duh, Guy, you know this!

I suppose thanks for the SQL advice, but I mean, all you'd have to add was a single quote in the bad character list. (Added in the main post)

SQL and CGI are two entirely different modules which you can use side-by-side, so why would you limit yourself to just one?

Why use a file when you could just enter the registration data directly into the Gunz database?

My point was, you're doing some unnecessary stuff; why filter words which, on their own, do no harm? Just escape single quotes and you're fine.

Escaping for MSSQL, by default, is by using another single quote (' = ''; that's two single quotes, not a double quote that it gets turned into). For MySQL, it's by using a backslash. For Oracle, there's technically no default, but you can just use the ESCAPE keyword and specify a character to escape with.

But, yet again, why escape anything if you're just going to drop it into a text file?