# Secure a CGI/PERL page using PHP



## computer_pet (Jun 22, 2003)

Hi,

I have a single cgi page that I would like to secure, at the moment I am using just basic .htaccess authentication as well as PHP, so users need to login twice. This is only because I need this perl page secured, but would much rather use a PHP type authentication. All other pages are protects using php sessions, which I like as I can use the username inside the script.

Any ideas on how to do this?

Is it possible to force a user to visit http://domain.com/login.php before going to http://domain.com/myscript.pl ?

Thanks


----------



## MMJ (Oct 15, 2006)

How are you currently using php auth?


----------



## computer_pet (Jun 22, 2003)

My auth.php file; I include this in all files that I require security..

```
<?PHP
//In any page that I wish to protect, it contains $redirect = $pages_current_url therefore after login this page will load. Bit confusing i know
$redirect = "Location: $redirect" 
session_start();

if (!$_SESSION['user'] || !$_SESSION['pass']) {

// When they have not logged in:
include("login.php");
die();

} else {

// Checks the given session to make sure the credentials are valid
// Connects to my database, queries and finds out that way...
$db = mysql_connect('localhost', '$user', '$pass') or die("Couldn't connect to the database."); 
mysql_select_db('$dataB') or die("Couldn't select the database");

$result = mysql_query("SELECT * FROM $dataB WHERE password='$_SESSION[pass]' AND username='$_SESSION[user]'") or die("Couldn't query the user-database."); 
$num = mysql_result($result, 0);

if (!$num) { 
// Show login screen if did not match
$err = true; 
include("login.php");
die(); 
} 
}

// Session valid so login complete

?>
```
My login.php file:

```
<?PHP 
//I understand that it is bad that it does not check if anything has been POST'ed and just queries the database even if fields are blank, but have not bothered to fix that.
//Connects to my database
$db = mysql_connect('localhost', '$user', $password') or die("Couldn't connect to the database."); 
mysql_select_db('$dataB') or die("Couldn't select the database");

// Add slashes to the username...
$_POST['user'] = addslashes($_POST['user']); 
$_POST['pass'] = addslashes($_POST['pass']);

$result = mysql_query("SELECT * FROM $dataB WHERE password='$_POST[pass]' AND username='$_POST[user]'") or die("Couldn't query the user-database."); 
$num = mysql_num_rows($result);

if (!$num) {

// Credentials are incorrect, display login screen again.

echo "
[B][SIZE=14]User Login[/SIZE][/B]

Username:

Password:

";

} else {

// Start the login session 
session_start();

// Okay so it adds the user and pass to php session 
$_SESSION['user'] = $_POST['user']; 
$_SESSION['pass'] = $_POST['pass'];

// So login is success so redirect the browser to the requested secure page
header($redirect);

}

?>
```
So it may not be the best authentication script but it does it's job. Any ideas how to get this to work for securing my cgi pages?
Thanks


----------



## MMJ (Oct 15, 2006)

If you want to protect cgi files with php than you will have to tell apache to parse .cgi with php.


----------



## computer_pet (Jun 22, 2003)

Okay, i can do that with htaccess but how can PHP then executre/parse the cgi script?


----------



## computer_pet (Jun 22, 2003)

Okay instead of that,
How can I get the username that was entered when the user authenticated (I am talking about the .htaccess file). 
Anyone know how to do this in cgi? I found

```
#!/usr/bin/perl
$HttpUser= os.environ['REMOTE_USER'] ;
print $HttpUser;
```
But that just returns internal server error. I really know nothing about cgi, I would have loved to have this particular script in PHP but I dont think it is going to happen.


----------



## harmor (Mar 15, 2007)

If someone does pass there own sessions to auth.php I believe they can do SQL injection.

```
<?php
session_start();

$_SESSION['user'] = "hi' OR 1='1";
$_SESSION['pass'] = "fake";

WHERE password='fake' AND username='hi' OR 1='1' "
?>
```
I haven't tested it so I could be wrong.


----------

