467,882 Members | 1,194 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 467,882 developers. It's quick & easy.

how to use if condition in perl

i have written program to check whether the username and password entered are members of a company or not.... Im totally new to perl language... so please help me what is wrong with the following program..
thanx in advance...

Expand|Select|Wrap|Line Numbers
  1. #!/usr/bin/perl - w
  2.  
  3. use DBI;
  4. use strict;
  5. use CGI ':standard';
  6.  
  7. my $name = param('name');
  8. my $password = param('password');
  9. my $dbh = DBI->connect('DBI:mysql:test','root','') or die "Can't connect:" . DBI->errstr();
  10. my $sth = $dbh -> prepare('select password from user where name = "$name"') or die "Can't prepare SQL: " . $dbh->errstr();
  11. $sth -> execute() or die "Can't execute SQL: " . $sth -> errstr();
  12.  
  13. my($name1, $password1);
  14. my $flag = 0;
  15.  
  16. while(($password1) = $sth->fetchrow()) 
  17. {
  18. if($password1)    
  19.     print "$password1";
  20. else {
  21.     print "not member\n";
  22.     break;
  23. }
  24. }
  25.  
  26. #if($password1)
  27. #    print "microsoft member";
  28. #else
  29. #    print "not a microsoft member";
  30.  
  31. $sth->finish();
  32. $dbh->disconnect();
Oct 1 '08 #1
  • viewed: 4648
Share:
10 Replies
KevinADC
Expert 2GB
one thing is if you use a scalar in a single-quoted string it will not be expanded but treated literally:

Expand|Select|Wrap|Line Numbers
  1. my $sth = $dbh -> prepare('select password from user where name = "$name"')
$name is the above line is literally $name and not whatever value the scalar $name has stored. Try this:

Expand|Select|Wrap|Line Numbers
  1. my $sth = $dbh -> prepare(qq{select password from user where name = "$name"})
There could be other problems with your code, but I did not check it all.
Oct 1 '08 #2
Icecrack
Expert 100+
Please Post in Code Tags,

Also Use for more debug.

Expand|Select|Wrap|Line Numbers
  1. use CGI qw(:standard -debug);
  2. use CGI::Carp qw(fatalsToBrowser);
take out:

Expand|Select|Wrap|Line Numbers
  1. use CGI ':standard';

also i would use the package (Module) Mysql
eg.
Expand|Select|Wrap|Line Numbers
  1. use Mysql;
i may have downloaded this but it makes life easy.

eg.

Expand|Select|Wrap|Line Numbers
  1. use Mysql;
  2.  
  3. $host = "127.0.0.1";
  4. $database = "users_l";
  5. $tablename = "users";
  6. $user = " ";
  7. $pw = " ";
  8.  
  9. $connect = Mysql->connect($host, $database, $user, $pw);
  10. $connect->selectdb($database);
  11. $myquery = "SELECT * FROM users WHERE init='$initc'";
  12. $execute = $connect->query($myquery);
  13.  
  14.  
  15. while (($id, $usern, $cleare, $init) = $execute->fetchrow_array())
  16.     {
  17. #check for user name and password match
  18. #pass a flag 
  19. }
  20.  
  21.  
Oct 1 '08 #3
Please Post in Code Tags,

Also Use for more debug.

Expand|Select|Wrap|Line Numbers
  1. use CGI qw(:standard -debug);
  2. use CGI::Carp qw(fatalsToBrowser);
take out:

Expand|Select|Wrap|Line Numbers
  1. use CGI ':standard';

also i would use the package (Module) Mysql
eg.
Expand|Select|Wrap|Line Numbers
  1. use Mysql;
i may have downloaded this but it makes life easy.

eg.

Expand|Select|Wrap|Line Numbers
  1. use Mysql;
  2.  
  3. $host = "127.0.0.1";
  4. $database = "users_l";
  5. $tablename = "users";
  6. $user = " ";
  7. $pw = " ";
  8.  
  9. $connect = Mysql->connect($host, $database, $user, $pw);
  10. $connect->selectdb($database);
  11. $myquery = "SELECT * FROM users WHERE init='$initc'";
  12. $execute = $connect->query($myquery);
  13.  
  14.  
  15. while (($id, $usern, $cleare, $init) = $execute->fetchrow_array())
  16.     {
  17. #check for user name and password match
  18. #pass a flag 
  19. }
  20.  
  21.  
where you have declared $initc?? what values it contains????
Oct 1 '08 #4
Icecrack
Expert 100+
where you have declared $initc?? what values it contains????
$initc would be a param from form input


Expand|Select|Wrap|Line Numbers
  1. $initc=param('user');


another example:

Expand|Select|Wrap|Line Numbers
  1.  
  2.  
  3. use CGI qw(:standard -debug);
  4. use CGI::Carp qw(fatalsToBrowser);
  5. use Mysql;
  6.  
  7.  
  8. $name=param('name');
  9. $password=param('password');
  10.  
  11.  $host = "127.0.0.1";
  12.  $database = "users_l";
  13.  $tablename = "users";
  14.  $user = " ";
  15.  $pw = " ";
  16.  
  17.  $connect = Mysql->connect($host, $database, $user, $pw);
  18.  $connect->selectdb($database);
  19.  $myquery = "SELECT password FROM user WHERE name='$name'";
  20.  $execute = $connect->query($myquery);
  21.  
  22.  
  23.  while (($sqlpassword) = $execute->fetchrow_array())
  24.      {
  25.  
  26. if ($password eq "$sqlpassword")
  27. {
  28. print "Login Accepted.";
  29. }
  30. elsif ($password ne "$sqlpassword")
  31. {
  32. print "Error Password Incorrect";
  33. }
  34. elsif ($sqlpassword eq undef)
  35. {
  36. print "User Not Found Please Try Again.";
  37. }
  38. }
  39.  

Note: i would also check for perl and SQL cancel characters in the password and user param (never trust your users), as this could lead to unsecure program,

the use of ',;:/.%*)(^%$#@!`~+= try to cancel those characters. (also this will prevent future errors with SQL)
Oct 1 '08 #5
KevinADC
Expert 2GB
also i would use the package (Module) Mysql
I am pretty sure that module is considered obsolete, I don't even see it listed on CPAN anymore.

Edit:

I found it:

http://search.cpan.org/~rudy/DBD-mys...OLETE_SOFTWARE
Oct 1 '08 #6
Icecrack
Expert 100+
I am pretty sure that module is considered obsolete, I don't even see it listed on CPAN anymore.

Edit:

I found it:

http://search.cpan.org/~rudy/DBD-mys...OLETE_SOFTWARE
My Bad i didn't read down a little more :P

They must of merged them MS SQL AND MY SQL

yes it's obsolete but still i think its a lot easier and cleaner.
Oct 1 '08 #7
eWish
Expert 512MB
People are also using Rose which is gaining popularity.


--Kevin
Oct 2 '08 #8
eWish
Expert 512MB
the use of ',;:/.%*)(^%$#@!`~+= try to cancel those characters. (also this will prevent future errors with SQL)
When making use of the DBI to connect to your database, you can use placeholders and bind values. Using this method will escape special characters for you. Thus your SQL won't complain.

--Kevin
Oct 2 '08 #9
Icecrack
Expert 100+
When making use of the DBI to connect to your database, you can use placeholders and bind values. Using this method will escape special characters for you. Thus your SQL won't complain.

--Kevin
thanks for the update :)
Oct 2 '08 #10
KevinADC
Expert 2GB
People are also using Rose which is gaining popularity.


--Kevin
Wow, that started 3 or 4 years ago. Seems to be getting developed at a snails (a very slow snail) pace. I have never come across anyone that is actually using Rose.
Oct 2 '08 #11

Post your reply

Sign in to post your reply or Sign up for a free account.

Similar topics

31 posts views Thread by surfunbear | last post: by
reply views Thread by jason | last post: by
7 posts views Thread by jason | last post: by
reply views Thread by Kirt Loki Dankmyer | last post: by
2 posts views Thread by David Sudjiman | last post: by
4 posts views Thread by joh12005 | last post: by
13 posts views Thread by Otto J. Makela | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.