Trillex - programming in perl with cgi and dbi

From Teknologisk videncenter
Revision as of 13:07, 21 September 2009 by Trillex (talk | contribs)
Jump to: navigation, search

Programming: Perl with Webinterface and Database Injections

Introduction

As a final project in Perl, I decided to make a script that could be useful as a linux adminstrator. The script is very situational, however, since it makes use of a specific setup.

The idea of the script can be changed and used for many situation, especially when you just need to inject simple things into a table. It certainly beats having to do it manually through that cursed client or through other means like phpmyadmin etc.

What the script does, is add a new user to the database "pureftpd" in the table "ftpd". This is in a MySQL database. The only situation you'd need to do this, is when you have set your FTP daemon up for virtual users, i.e. the user accessing the FTP does not have access to the server itself through SSH, like it would normally if we create another user on most UNIX systems.

The Script

#!/usr/bin/perl
use strict;
use warnings;
use CGI;
use DBI;
use CGI::Carp qw(fatalsToBrowser);

print CGI::header();

my $username = dbquote(CGI::param('user'));
my $status = dbquote(CGI::param('status'));
my $password = dbquote(CGI::param('password'));
my $uid = dbquote(CGI::param('uid'));
my $gid = dbquote(CGI::param('gid'));
my $dir = dbquote(CGI::param('dir'));
my $upload = dbquote(CGI::param('upload'));
my $download = dbquote(CGI::param('download'));
my $comment = dbquote(CGI::param('comment'));
my $ipaccess = dbquote(CGI::param('ipaccess'));
my $quotasize = dbquote(CGI::param('quotasize'));
my $quotafiles = dbquote(CGI::param('quotafiles'));

unless($username) {
print <<PAGE;  
<h1>Add a FTP account</h1>  
<form action=testadddatabase.pl method=post>  
Username: <input type=text name=user><br>  
Status: <input type=text name=status><br>  
Password: <input type=text name=password><br>  
User ID: <input type=text name=uid><br>  
Group ID: <input type=text name=gid><br>  
Home Dir: <input type=text name=dir><br>  
Upload Limit: <input type=text name=upload><br>  
Download Limit: <input type=text name=download><br>  
Comment: <input type=text name=comment><br>  
IP Access: <input type=text name=ipaccess><br>  
Quota Size: <input type=text name=quotasize><br>  
Quota Files: <input type=text name=quotafiles><br>  
<input type=submit value="Add an FTP account">  
</form>  
PAGE

exit;
}

my $dbh = DBI->connect("dbi:mysql:pureftpd:localhost", "user", "password");

my $sth = $dbh->prepare("insert into ftpd(User, status, Password, Uid, Gid, Dir, ULBandwidth, DLBandwidth, comment, ipaccess, QuotaSize, Quotafiles) values('$username', '$status', '$password', '$uid', '$gid', '$dir', '$upload', '$download', '$comment', '$ipaccess', '$quotasize', '$quotafiles')");
ye
$sth->execute();

print <<PAGE;
<h1>Account added</h1>
The account $username was just added. want to <a href=testadddatabase.pl>add another</a>? 
PAGE

sub dbquote {
        my ($str) = @_;

$str =~ s/”/\\”/g;
$str =~ s/\\/\\\\/g;
$str =~ s/’/\\’/g;

 return $str;
}

Breaking it Down

I won't use comments (#) since I will not be able to explain enough in it. I will, hopefully, explain everything here so a newbie can look at it and understand it. 

#!/usr/bin/perl
use strict;
use warnings;
use CGI;
use DBI;
use CGI::Carp qw(fatalsToBrowser);

Essentially this is the start of the script. It tells it what kind of "modules" to make use of. These modules can contain certain functions or be able to give you more information on errors etc. 

#!/usr/bin/perl

What this does is explain that this is now a perl script and it needs to be compiled at /usr/bin/perl. This is, obviously, different on Windows machines and can differ from linux distro. 

use strict;

Strict makes it a bit more "strict" and pretty much slaps you, if you are about to do something nasty in your script that could create a mess. An example is that without strict, you don't have to define variables first but can just write it out. This can cause issues with typos and such, which could lead to strange bugs that will be impossible, or very hard, to find. It's good for beginners. 

use warnings;

Does pretty much what it says. It gives you detailed information if it sees an error in your script when you run it, and outputs it to you. In some situations, it will even tell you exactly what is wrong. Always a good idea to use this, at least for debugging purposes. 

use CGI;

This loads a module for use in CGI, Common Gateway Interface. This is usually used when you want to make web development with perl. It's what making this script work 

use DBI;

Stands for DataBase Interface. Essentially it's the same thing as the CGI, except that it is for database use instead. This can connect, change, view, create databases of various kinds, like SQL, Oracle and more. A very powerful tool. 

use CGI::Carp qw(fatalsToBrowser);

You might have noticed that we have two calls for CGI. This one, however, only calls the functions for Carp with fatalsToBrowser. So to make sure that there is absolutely no chance of messing up, I included a call for normal CGI and then just this one.

Retrieved from "http://mars.merhot.dk/w/index.php?title=Trillex_-_programming_in_perl_with_cgi_and_dbi&oldid=9283"