#!/usr/bin/perl -w##########################################################

1. #!/usr/bin/perl -w
2.  
3. #############################################################################
4. # BadStore.cgi v1.2.3s
5. # The CGI program file for BadStore.net
6. #
7. # Copyright 2004-6 - Kurt R. Roemer
8. # Developed and Maintained by: Kurt R. Roemer, CISSP
9. # Last Modified: 10 May 2006 - kroemer@netcontinuum.com
10. # Visit www.badstore.net/downloads for the latest version
11. #
12. # WARNING! - This is an insecure program used for demo and
13. # security training purposes only! This is not a real store!
14. # See the Disclaimer for complete information on this program
15. #
16. # This program is free software; you can redistribute it and/or
17. # modify it under the terms of the GNU General Public License
18. # as published by the Free Software Foundation; either version 2
19. # of the License, or (at your option) any later version.
20. #
21. # This program is distributed in the hope that it will be useful,
22. # but WITHOUT ANY WARRANTY; without even the implied warranty of
23. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24. # GNU General Public License for more details.
25. #
26. # You should have received a copy of the GNU General Public License
27. # along with this program; if not, write to the Free Software
28. # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
29. #
30. #############################################################################
31.  
32. ### Specify required PERL modules ###
33. use CGI::Carp qw(fatalsToBrowser);
34. use DBI;
35. use CGI qw(:standard :html3);
36. use Digest::MD5 qw(md5_hex);
37. use MIME::Base64;
38.  
39. ### Setup Global Variables ###
40. $time = time;
41. $ipaddr = $ENV{'REMOTE_ADDR'};
42.  
43. ### Get submitted data from URL or FORM ###
44. $query=new CGI;
45. $action=$query->param('action');
46.  
47. ### Setup Header and Footer ###
48. open (BSHEADER, '../badstore/data/header.txt') or die "Cannot open footer file\n";
49. @header=<BSHEADER>;
50. close (BSHEADER);
51. open (BSFOOTER, '../badstore/data/footer.txt') or die "Cannot open footer file\n";
52. @footer=<BSFOOTER>;
53. close (BSFOOTER);
54.  
55. ### Determine action from URL or FORM data ###
56.  
57. if ($action eq 'whatsnew')
58. {
59. &whatsnew;
60.  
61. } elsif ($query->url_param('action') eq 'cartadd') {
62. &cartadd;
63.  
64. #} elsif ($action eq 'cartremove') {
65. # &cartremove;
66.  
67. #} elsif ($action eq 'cartchangeqty') {
68. # &cartqty;
69.  
70. } elsif ($action eq 'cartview') {
71. &cartview;
72.  
73. } elsif ($query->url_param('action') eq 'order') {
74. &order;
75.  
76. } elsif ($query->url_param('action') eq 'viewprevious') {
77. &viewprevious;
78.  
79. } elsif ($query->url_param('action') eq 'submitpayment') {
80. &submitpayment;
81.  
82. } elsif ($action eq 'guestbook') {
83. &guestbook;
84.  
85. } elsif ($query->url_param('action') eq 'doguestbook') {
86. &doguestbook;
87.  
88. } elsif ($action eq 'aboutus') {
89. &aboutus;
90.  
91. } elsif ($action eq 'loginregister') {
92. &loginregister;
93.  
94. } elsif ($query->url_param('action') eq 'login'){
95. &authuser;
96.  
97. } elsif ($query->url_param('action') eq 'register'){
98. &authuser;
99.  
100. } elsif ($action eq 'search') {
101. &search;
102.  
103. } elsif ($action eq 'supplierlogin') {
104. &supplierlogin;
105.  
106. } elsif ($query->url_param('action') eq 'supplierportal') {
107. &supplierportal;
108.  
109. } elsif ($query->url_param('action') eq 'supupload') {
110. &supupload;
111.  
112. } elsif ($action eq 'admin') {
113. &admin;
114.  
115. } elsif ($query->url_param('action') eq 'adminportal') {
116. &adminportal;
117.  
118. } elsif ($action eq 'myaccount'){
119. &myaccount;
120.  
121. } elsif ($query->url_param('action') eq 'moduser'){
122. &moduser;
123.  
124. } else {
125. &home;
126. }
127.  
128. exit;
129.  
130. ############
131. ### Home ###
132. ############
133.  
134. sub home
135. {
136. &printheaders;
137. print @header,
138. start_html("Welcome to BadStore.net v1.2.3s - The most insecure store on the 'Net!"),
139. "<center>",h1("<font color=#004b2c>Welcome to BadStore.net!</font>"), hr, p,
140. img({-src=>'/badstore/images/store1.jpg',-border=>'0'}),"</center>", p,
141. @footer,
142. end_html();
143. }
144.  
145. ##################
146. ### What's New ###
147. ##################
148.  
149. sub whatsnew
150. {
151. local (@data);
152.  
153. ### Connect to the SQL Database ###
154. my $dbh = DBI->connect("DBI:mysql:database=badstoredb;host=localhost", "root", "123456",{'RaiseError' => 1})
155. or die "Cannot connect: " . $DBI::errstr;
156.  
157. ### Prepare and Execute SQL Query ###
158. my $sth = $dbh->prepare( "SELECT itemnum, sdesc, ldesc, price FROM itemdb WHERE isnew = 'Y'")
159. or die "Couldn't prepare statement: " . $dbh->errstr;
160. $sth->execute() or die "Couldn't execute SQL statement: " . $sth->errstr;
161.  
162. &printheaders;
163. print @header;
164. print start_html("What's New at BadStore.net");
165. if ($sth->rows == 0) {
166. print h2("No new items! "),"$sth.\n\n";
167. } else {
168. print start_form( -action=>'/cgi-bin/badstore.cgi?action=cartadd');
169. ### Read the matching records and print them out ###
170. print h1("The following are new items:"), hr, "<TABLE BORDER=1>";
171. print Tr( th('ItemNum'),th('Item'),th('Description'),th('Price'),th('Image'),th('Add to Cart'));
172. while (@data = $sth->fetchrow_array()) {
173. $image='/badstore/images/' . $data[0] . '.jpg';
174. print Tr( td( \@data ),td({-align=>CENTER},"<IMG SRC=$image>"),td({-align=>CENTER},"<INPUT type=checkbox name='cartitem' value=$data[0]>") );
175. }
176. print "</TABLE>\n\n", p, "<Center>", submit('Add Items to Cart'), " ", reset(), "</Center>", end_form;
177. }
178.  
179. ### Close statement handles ###
180. $sth->finish;
181.  
182. ### Disconnect from the databases ###
183. $dbh->disconnect;
184.  
185. print @footer;
186. print end_html();
187. }
188.  
189. ##############
190. ### Search ###
191. ##############
192.  
193. sub search
194. {
195. local (@data, $squery, $temp, $sql);
196. $squery=$query->param('searchquery');
197.  
198. ### Connect to the SQL Database ###
199. my $dbh = DBI->connect("DBI:mysql:database=badstoredb;host=localhost", "root", "123456",{'RaiseError' => 1})
200. or die "Cannot connect: " . $DBI::errstr;
201.  
202. ### Prepare and Execute SQL Query ###
203. $sql="SELECT itemnum, sdesc, ldesc, price FROM itemdb WHERE '$squery' IN (itemnum,sdesc,ldesc)";
204. my $sth = $dbh->prepare($sql)
205. or die "Couldn't prepare SQL statement: " . $dbh->errstr;
206. $temp=$sth;
207. $sth->execute() or die "Couldn't execute SQL statement: " . $sth->errstr;
208.  
209. &printheaders;
210. print @header;
211. print start_html("BadStore.net - Search Results");
212. print comment('Search code developed by Bobby Jones - summer intern, 1996');
213. print comment('Comment the $sql line out after troubleshooting is done');
214.  
215. if ($sth->rows == 0) {
216. print h2("No items matched your search criteria: "), $sql, $sth->errstr;
217. } else {
218. ### Read the matching records and print them out ###
219. print h2("The following items matched your search criteria:"), "<HR>",
220. start_form( -action=>'/cgi-bin/badstore.cgi?action=cartadd'),"<TABLE BORDER=1>",
221. Tr( th('ItemNum'),th('Item'),th('Description'),th('Price'),th('Image'),th('Add to Cart'));
222. while (@data = $sth->fetchrow_array()) {
223. $image='/badstore/images/' . $data[0] . '.jpg';
224. print Tr( td( \@data ),td({-align=>CENTER},"<IMG SRC=$image>"),td({-align=>CENTER},"<INPUT type=checkbox name='cartitem' value=$data[0]>") );
225. }
226. print "</TABLE>\n\n", p, "<Center>", submit('Add Items to Cart'), " ", reset(), "</Center>", end_form;
227. }
228.  
229. ### Close statement handles ###
230. $sth->finish;
231.  
232. ### Disconnect from the databases ###
233. $dbh->disconnect;
234.  
235. print @footer;
236. print end_html();
237. }
238.  
239. #########
240. # Admin #
241. #########
242.  
243. sub admin
244. {
245. &printheaders;
246. print @header;
247. print start_html("Private Administration Portal for BadStore.net"),
248. h1("Secret Administration Menu"), hr, p;
249.  
250. print start_form(-action=>'/cgi-bin/badstore.cgi?action=adminportal'),
251. p, h2("Where do you want to be taken today?"),
252. popup_menu(-name=>'admin', -values=>['View Sales Reports','Reset User Password','Add User','Delete User','Show Current Users','Troubleshooting','Backup Databases']),
253. submit('Do It'), end_form,
254. @footer,
255. end_html();
256. }
257.  
258. ################
259. # Admin Portal #
260. ################
261.  
262. sub adminportal
263. {
264. local ($aquery, $email, $newpasswd, @data, $stemp, @s_cookievalue, $passwd, $fullname, $role);
265. &printheaders;
266. print @header,
267. start_html("Private Administration Portal for BadStore.net"),
268. h1("Secret Administration Portal"), hr, p;
269. $aquery=$query->param('admin');
270.  
271. ### Read SSOid Cookie ###
272. $stemp=cookie('SSOid');
273. $stemp=decode_base64($stemp);
274. @s_cookievalue=split(":", ("$stemp"));
275. $email=shift(@s_cookievalue);
276. $passwd=shift(@s_cookievalue);
277. $fullname=shift(@s_cookievalue);
278. if ($fullname eq '') {
279. $fullname="{Unregistered User}";
280. }
281. $role=shift(@s_cookievalue);
282.  
283. ### Check SSO Cookie for Admin Role ###
284. if ($role eq 'A') {
285.  
286. ### Connect to the SQL Database ###
287. my $dbh = DBI->connect("DBI:mysql:database=badstoredb;host=localhost", "root", "123456",{'RaiseError' => 1})
288. or die "Cannot connect: " . $DBI::errstr;
289.  
290. ### Prepare the Sales Report ###
291. if ($aquery eq 'View Sales Reports') {
292. my $sth = $dbh->prepare("SELECT * FROM orderdb ORDER BY 'orderdate','ordertime'")
293. or die "Couldn't prepare statement: " . $dbh->errstr;
294. $sth->execute() or die "Couldn't execute SQL statement: " .$sth->errstr;
295.  
296. print h2("<Center>BadStore.net Sales Report",p,&getdate,"</center>"), "<HR>",
297. "<TABLE BORDER=1>",
298. Tr(th('Date'),th('Time'),th('Cost'),th('Count'),th('Items'),th('Account'),th('IP'),th('Paid'),th('Credit_Card_Used'),th('ExpDate'));
299. while (@data=$sth->fetchrow_array()){
300. $data[9]=~ s/(\d\d\d\d)[\-\s]?/$1-/g;
301. $data[9]=~ s/-$//;
302. print Tr(td(font({face=>'Arial', size=>'-2'},$data[1])),td(font({face=>'Arial', size=>'-2'},$data[2])),td(font({face=>'Arial', size=>'-2'},$data[3])),td(font({face=>'Arial', size=>'-2'},$data[4])),td(font({face=>'Arial', size=>'-2'},$data[5])),td(font({face=>'Arial', size=>'-2'},$data[6])),td(font({face=>'Arial', size=>'-2'},$data[7])),td(font({face=>'Arial', size=>'-2'},$data[8])),td(font({face=>'Arial', size=>'-2'},$data[9])),td(font({face=>'Arial',size=>'-2'},$data[10])));
303. }
304. print "</TABLE>\n\n",p;
305.  
306. } elsif ($aquery eq 'Reset User Password') {
307.  
308. ### Reset User Password ###
309. ### Prepare and Execute SQL Query ###
310. my $sth = $dbh->prepare( "SELECT email FROM userdb")
311. or die "Couldn't prepare statement: " . $dbh->errstr;
312. $sth->execute() or die "Couldn't execute SQL statement: " . $sth->errstr;
313. while (@data=$sth->fetchrow_array()) {
314. @ids=(@ids, $data[0]);
315. }
316. print start_form( -action=>'/cgi-bin/badstore.cgi?action=moduser'),
317. p, "Reset password for: ",
318. popup_menu(-name=>'email', -values=>[@ids]),
319. submit(-name=>'DoMods',-value=>'Reset User Password'), end_form;
320.  
321. ### Close statement handles ###
322. $sth->finish;
323.  
324. } elsif ($aquery eq 'Troubleshooting') {
325.  
326. ### Print CGI Environment ###
327. print h2("CGI Environment Variables"), "<TABLE BORDER=1>";
328.  
329. my %env_info = (
330. SERVER_SOFTWARE => "the server software",
331. SERVER_NAME => "the server hostname or IP address",
332. GATEWAY_INTERFACE => "the CGI specification revision",
333. SERVER_PROTOCOL => "the server protocol name",
334. SERVER_PORT => "the port number for the server",
335. REQUEST_METHOD => "the HTTP request method",
336. PATH_INFO => "the extra path info",
337. PATH_TRANSLATED => "the extra path info translated",
338. DOCUMENT_ROOT => "the server document root directory",
339. SCRIPT_NAME => "the script name",
340. QUERY_STRING => "the query string",
341. REMOTE_HOST => "the hostname of the client",
342. REMOTE_ADDR => "the IP address of the client",
343. AUTH_TYPE => "the authentication method",
344. REMOTE_USER => "the authenticated username",
345. REMOTE_IDENT => "the remote user is (RFC 931): ",
346. CONTENT_TYPE => "the media type of the data",
347. CONTENT_LENGTH => "the length of the request body",
348. HTTP_ACCEPT => "the media types the client accepts",
349. HTTP_USER_AGENT => "the browser the client is using",
350. HTTP_REFERER => "the URL of the referring page",
351. HTTP_COOKIE => "the cookie(s) the client sent"
352. );
353.  
354. # Add additional variables defined by web server or browser
355. foreach $name ( keys %ENV ) {
356. $env_info{$name} = "an extra variable provided by this server"
357. unless exists $env_info{$name};
358. }
359. print Tr( th('Variable Name'),th('Description'),th('Value'));
360. foreach $name ( sort keys %env_info ) {
361. my $info = $env_info{$name};
362. my $value = $ENV{$name} || "<I>Not Defined</I>";
363. print Tr( td(font({face=>'Arial', size=>'-2'}, $name )),td(font({face=>'Arial', size=>'-2'}, $info )), td(font({face=>'Arial', size=>'-2'}, $value )));
364. }
365. print "</TABLE>",p,
366. h2("Recent Apache Error Log"),p,hr,
367. `tail ../badstore/logs/error_log`,
368. p, h2("Apache Access Log"),p,hr,
369. `cat ../badstore/data/userdb`;
370.  
371. } elsif ($aquery eq 'Add User') {
372.  
373. ### Add a User ###
374. print start_form(-method=>'POST',-action=>'/cgi-bin/badstore.cgi?action=moduser'),
375. "Email Address: ",textfield(-name=>'email',-size=>40),p,
376. hidden(-name=>'password',-default=>[md5_hex('Welcome')]),
377. "Password Hint: ",popup_menu(-name=>'pwdhint',-values=>['green','blue','red','orange','purple','yellow']),p,
378. "Full Name: ",textfield(-name=>'fullname',-size=>50),p,
379. "Role: ",textfield(-name=>'role',-size=>1),p,
380. submit(-name=>'DoMods',-value=>'Add User'), reset(), end_form,hr;
381.  
382. } elsif ($aquery eq 'Delete User') {
383. ### Delete User ###
384. ### Prepare and Execute SQL Query ###
385. my $sth = $dbh->prepare( "SELECT email FROM userdb")
386. or die "Couldn't prepare statement: " . $dbh->errstr;
387. $sth->execute() or die "Couldn't execute SQL statement: " . $sth->errstr;
388.  
389. while (@data=$sth->fetchrow_array()) {
390. @ids=(@ids, $data[0]);
391. }
392.  
393. print start_form(-action=>'/cgi-bin/badstore.cgi?action=moduser'),
394. p, "Delete User: ",
395. popup_menu(-name=>'email', -values=>[@ids]),
396. submit(-name=>'DoMods',-value=>'Delete User'), end_form;
397.  
398. ### Close statement handles ###
399. $sth->finish;
400.  
401. } elsif ($aquery eq 'Show Current Users') {
402.  
403. ### Show Current Users ###
404. ### Prepare and Execute SQL Query ###
405. my $sth = $dbh->prepare( "SELECT * FROM userdb")
406. or die "Couldn't prepare statement: " . $dbh->errstr;
407. $sth->execute() or die "Couldn't execute SQL statement: " . $sth->errstr;
408. print "<TABLE BORDER=1>",
409. Tr(th('Email Address'),th('Password'),th('Pass Hint'),th('Full Name'),th('Role'));
410. while (@data=$sth->fetchrow_array()) {
411. print Tr(td(font({face=>'Arial', size=>'-2'},$data[0])),td(font({face=>'Arial', size=>'-2'},$data[1])),td(font({face=>'Arial', size=>'-2'},$data[2])),td(font({face=>'Arial', size=>'-2'},$data[3])),td(font({face=>'Arial', size=>'-2'},$data[4])));
412. }
413. print "</TABLE>";
414. } elsif ($aquery eq 'Backup Databases') {
415. ### Backup the Tables ###
416. my $sth = $dbh->prepare( "SELECT * FROM orderdb INTO OUTFILE '../backup/orderdb.bak'")
417. or die "Couldn't prepare statement: " . $dbh->errstr;
418. $sth->execute() or die "Couldn't execute SQL statement: " . $sth->errstr;
419. my $sth = $dbh->prepare( "SELECT * FROM userdb INTO OUTFILE '/usr/local/apache/htdocs/backup/userdb.bak'")
420. or die "Couldn't prepare statement: " . $dbh->errstr;
421. $sth->execute() or die "Couldn't execute SQL statement: " . $sth->errstr;
422. print h2("Database backup compete - files in www.badstore.net/backup");
423. }
424. ### Disconnect from the databases ###
425. $dbh->disconnect;
426.  
427. } else {
428. ### Not an Admin user ###
429. print h2("Error - $fullname is not an Admin!"), hr,
430. "Something weird happened - you tried to access the ",
431. "Adminstrative Portal, but you are not an Administrative User.", p,
432. "You must login as an Admin to access this resource.", p,
433. "Use your browser's Back button and go to Login.", p, p, p,
434. h3("(If you're trying to hack - I know who you are: $ipaddr)");
435. }
436. print @footer,
437. end_html();
438. }
439.  
440. #############
441. # Guestbook #
442. #############
443.  
444. sub guestbook
445. {
446. &printheaders;
447. print @header,
448. start_html("BadStore.net - Sign our Guestbook"),
449. h1("Sign our Guestbook!"), hr,
450. p,
451. "Please complete this form to sign our Guestbook. The email field is not required, but helps us contact you to respond to your feedback. Thanks!",
452. p, hr, "<TABLE BORDER=0 CELLLPADDING=10>";
453. print start_form(-method=>'POST', -action=>'/cgi-bin/badstore.cgi?action=doguestbook');
454. print Tr( td('Your Name:'), td('<INPUT TYPE=text NAME=name SIZE=30>'));
455. print Tr( td('Email:'), td('<INPUT TYPE=text NAME=email SIZE=40>'));
456. print Tr( td({-valign=>TOP},'Comments:'), td('<TEXTAREA NAME=comments COLS=60 ROWS=4></TEXTAREA>'));
457. print "</TABLE>\n<HR>\n",
458. '<Center><INPUT TYPE=submit VALUE="Add Entry"> <INPUT TYPE=reset></Center>';
459. p,
460. submit(), reset(),
461. end_form,
462. hr,
463. @footer, end_html();
464. }
465.  
466. ################
467. # Do Guestbook #
468. ################
469.  
470. sub doguestbook
471. {
472. local($timestamp, $name, $email, $comments, %fields);
473. my ($dataFile) = "../badstore/data/guestbookdb";
474.  
475. $timestamp=&getdate;
476. $name=$query->param('name');
477. $email=$query->param('email');
478. $comments=$query->param('comments');
479. chomp($comments);
480.  
481. &saveFormData(\%fields, $dataFile);
482.  
483. &printheaders;
484. print @header;
485. print start_html("Welcome to the BadStore.net Guestbook");
486.  
487. print h1("Guestbook"), hr;
488. &readFormData($dataFile);
489.  
490. print @footer;
491. print end_html();
492. }
493.  
494. sub saveFormData {
495. my($hashRef) = shift;
496. my($dbfile) = shift;
497.  
498. open(FILE, ">>$dbfile") or die("Unable to open Guestbook data file $dbfile: $!\n");
499. print FILE ("$hashRef->{'timestamp'}$timestamp~");
500. print FILE ("$hashRef->{'name'}$name~");
501. print FILE ("$hashRef->{'email'}$email~");
502. print FILE ("$hashRef->{'comments'}$comments");
503. print FILE ("\n");
504. close(FILE);
505. }
506.  
507. sub readFormData {
508. my($dbfile) = shift;
509.  
510. open(FILE, "<$dbfile") or die("Unable to open Guestbook data file.");
511. while (<FILE>) {
512. my($timestamp, $name, $email, $comments) = split(/~/, $_);
513.  
514. print("$timestamp: <B>$name</B> <A HREF=mailto:$email>$email</A>\n");
515. print("<OL><I>$comments</I></OL>\n");
516. print("<HR>\n");
517. }
518. close(FILE);
519. }
520.  
521. ###############################
522. ### Get and format the date ###
523. ###############################
524.  
525. sub getdate
526. {
527. local ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst,$date);
528. local (@days, @months);
529.  
530. @days = ('Sunday','Monday','Tuesday','Wednesday','Thursday', 'Friday', 'Saturday');
531.  
532. @months = ('January','February','March','April','May','June','July','August','September','October','November','December');
533.  
534. ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime($time);
535.  
536. if ($hour < 10){ $hour = "0$hour"; }
537. if ($min < 10){ $min = "0$min"; }
538. if ($sec < 10){ $sec = "0$sec"; }
539.  
540. $year += 1900;
541. $date = "$days[$wday], $months[$mon] $mday, $year at $hour\:$min\:$sec";
542.  
543. return $date;
544. }
545.  
546. ###############
547. # Add to Cart #
548. ###############
549.  
550. sub cartadd
551. {
552. local($temp, @contents, $cookievalue);
553.  
554. ### Check for existing cookie and setup an empty cart ###
555. if ($cartcookie eq "")
556. {
557. ($sessid)=($time);
558. $cartitems=0;
559. $cartcost=0;
560. @contents=$query->param('cartitem');
561. }
562.  
563. chomp(@contents);
564. ### Check for zero update value ###
565. if ($contents[0] eq ""){
566. &printheaders;
567. print start_html("BadStore.net - Cart Error"), @header,
568. h1("Cart Error - Zero Items"), hr,
569. "Something weird happened - you tried to add no items to the cart!",p,
570. "Use your browser's Back button and try again.", p, p, p,
571. h3("(If you're trying to hack - I know who you are: $ipaddr)"),
572. @footer, end_html();
573.  
574. } else {
575. ### Connect to the SQL Database ###
576. my $dbh = DBI->connect("DBI:mysql:database=badstoredb;host=localhost", "root", "123456",{'RaiseError' => 1})
577. or die "Cannot connect: " . $DBI::errstr;
578.  
579. foreach $temp (@contents) {
580. $cartitems = $cartitems + 1;
581. my $sth = $dbh->prepare( "SELECT price FROM itemdb WHERE itemnum = '$temp'")
582. or die "Couldn't prepare statement: " . $dbh->errstr;
583. $sth->execute() or die "Couldn't execute SQL statement: " . $sth->errstr;
584.  
585. if ($sth->rows == 0) {
586. die "Item number not found: " . $sth->errstr;
587. } else {
588. ### Update cart cost ###
589. $cartcost = $cartcost + $sth->fetchrow_array();
590. }
591. }
592.  
593. ### Create initial CartID cookie
594. $cookievalue=join(":", ($sessid, $cartitems, $cartcost, @contents));
595. $cartcookie=cookie( -name=>'CartID', -value=>$cookievalue, -path=>'/');
596. print "Set-Cookie: $cartcookie\n";
597.  
598. &home
599. }
600. }
601.  
602. ###############
603. # Place Order #
604. ###############
605.  
606. sub order
607. {
608. local (@data, $temp, @cookievalue, $price, $id, $items, $cost, $cartitems, $cartcookie, $ccard, $expdate);
609.  
610. ### Read CartID Cookie ###
611. $temp=cookie('CartID');
612. @cookievalue=split(":", ("$temp"));
613. $id=shift(@cookievalue);
614. $items=shift(@cookievalue);
615. $cost=shift(@cookievalue);
616. $price='$' . sprintf("%.2f", $cost);
617. $cartitems=join(",", @cookievalue);
618. $email=$query->param('email');
619.  
620. ### Expire the Cookie ###
621. $cartcookie=cookie( -name=>'CartID', -value=>'', -expires=>'-1d', -path=>'/');
622. print "Set-Cookie: $cartcookie\n";
623.  
624. ### Get the hidden fields ###
625. $ccard=$query->param('ccard');
626. $expdate=$query->param('expdate');
627.  
628. &printheaders;
629. print @header,
630. start_html("BadStore.net - Place Order"),
631. h1("Your Order Has Been Placed"), hr, p;
632.  
633. ### Check for Empty Cart ###
634. if ($items < "1") {
635. print h2("You have no items in your cart."), p,
636. "Order something already!", p;
637. } else {
638.  
639. ### Connect to the SQL Database ###
640. my $dbh = DBI->connect("DBI:mysql:database=badstoredb;host=localhost", "root", "123456",{'RaiseError' => 1})
641. or die "Cannot connect: " . $DBI::errstr;
642.  
643. ### Add ordered items to Order Database ###
644. $dbh->do("INSERT INTO orderdb (sessid, orderdate, ordertime, ordercost, orderitems, itemlist, accountid, ipaddr, cartpaid, ccard, expdate) VALUES ('$id', CURDATE(), CURTIME(), '$price', '$items', '$cartitems', '$email', '$ipaddr', 'Y', '$ccard', '$expdate')")
645. or die "Couldn't prepare SQL statement for order: " . $dbh->errstr;
646.  
647. print h2("You have just bought the following:"), p;
648.  
649. ### Prepare and Execute SQL Query ###
650. my $sth = $dbh->prepare( "SELECT itemnum, sdesc, ldesc, price FROM itemdb WHERE itemnum IN ($cartitems)")
651. or die "Couldn't prepare statement: " . $dbh->errstr;
652. $sth->execute() or die "Couldn't execute SQL statement: " . $sth->errstr;
653. if ($sth->rows == 0) {
654. die "Item number not found: " . $sth->errstr;
655. } else {
656. ### Read the matching records and print them out ###
657. print "<TABLE BORDER=1>",
658. Tr( th('ItemNum'),th('Item'),th('Description'),th('Price'),th('Image'));
659. while (@data = $sth->fetchrow_array()) {
660. $image='../badstore/images/' . $data[0] . '.jpg';
661. print Tr( td( \@data ),td({-align=>CENTER},"<IMG SRC=$image>") );
662. }
663. print "</TABLE>\n\n", p,
664. h3("Purchased: $items items at $price"), p, "<Center><i>Thank you for shopping at BadStore.net!</i></Center>";
665. }
666. ### Close statement handles ###
667. $sth->finish;
668.  
669. ### Disconnect from the databases ###
670. $dbh->disconnect;
671. }
672. print @footer,
673. end_html();
674. }
675.  
676. ##################
677. # Submit Payment #
678. ##################
679.  
680. sub submitpayment
681. {
682. local($stemp, @s_cookievalue, $email, $passwd, $fullname, $ccard, $expdate);
683.  
684. ### Read SSOid Cookie ###
685. $stemp=cookie('SSOid');
686. $stemp=decode_base64($stemp);
687. @s_cookievalue=split(":", ("$stemp"));
688. $email=shift(@s_cookievalue);
689. &printheaders;
690. print @header, start_html(-title=>"BadStore.net - Place Order", -script=>{-language=>'JavaScript',-src=>'/cardvrfy.js'}),
691. h1("Thanks for ordering from BadStore.net!"), hr;
692.  
693. print start_form( -action=>'/cgi-bin/badstore.cgi?action=order', -onSubmit=>'return DoCardvrfy(this);');
694.  
695. ### If already logged in, fill out email, say Welcome ###
696. if ($email eq '') {
697. print "Email Address: ", textfield(-name=>'email', -size=>15, -maxlength=>40);
698. } else {
699. print "Welcome, <b>$email</b>",
700. hidden(-name=>'email', -default=>[$email]);
701. }
702. print p,
703. "Credit Card Number: ", textfield(-name=>'ccard', -size=>16, -maxlength=>16)," Expiration Date: ",textfield(-name=>'expdate',-size=>4),p,p,hr,p,
704. "<Center>BadStore.net Accepts the following Payment Methods",p,
705. img{src=>'../badstore/images/visa.jpg'}," ",img{src=>'../badstore/images/mastercard.jpg'}," ",img{src=>'../badstore/images/discover.jpg'}," ",img{src=>'../badstore/images/amex.jpg'},p,
706. submit(-name=>'subccard', -value=>'Place Order'),
707. end_form;
708.  
709. print @footer, end_html();
710. }
711.  
712.  
713. ########################
714. # View Previous Orders #
715. ########################
716.  
717. sub viewprevious
718. {
719. local ($email, @data, $stemp, @s_cookievalue, $passwd, $fullname, $role);
720.  
721. ### Read SSOid Cookie ###
722. $stemp=cookie('SSOid');
723. $stemp=decode_base64($stemp);
724. @s_cookievalue=split(":", ("$stemp"));
725. $email=shift(@s_cookievalue);
726. $passwd=shift(@s_cookievalue);
727. $fullname=shift(@s_cookievalue);
728. $role=shift(@s_cookievalue);
729.  
730. &printheaders;
731. print @header,
732. start_html("BadStore.net - View Previous Orders"),
733. h1("You have placed the following orders:"), hr, p;
734.  
735. if ($fullname eq '{Unregistered User}') {
736. print h2('You are not logged in!'), p,
737. "Use your browser's Back button and select Login.";
738. } else {
739. ### Connect to the SQL Database ###
740. my $dbh = DBI->connect("DBI:mysql:database=badstoredb;host=localhost", "root", "123456",{'RaiseError' => 1})
741. or die "Cannot connect: " . $DBI::errstr;
742.  
743. my $sth = $dbh->prepare( "SELECT orderdate, ordercost, orderitems, itemlist, ccard FROM orderdb WHERE accountid = '$email' ORDER BY orderdate,ordertime")
744. or die "Couldn't prepare statement: " . $dbh->errstr;
745. $sth->execute() or die "Couldn't execute SQL statement: " . $sth->errstr;
746.  
747. if ($sth->rows == 0) {
748. print h2('You have no previous orders!'), p,
749. "Use your browser's Back button and select Login.";
750. } else {
751.  
752. print "<TABLE BORDER=1>",
753. Tr( th('Order Date'),th('Order Cost'),th('# Items'),th('Item List'),th('Card Used'));
754. while (@data = $sth->fetchrow_array()) {
755. $data[4]=~ s/(\d\d\d\d)[\ \s]?/$1 /g;
756. $data[4]=~ s/ $//;
757. print Tr( td( \@data ));
758. }
759. print "</TABLE>\n\n", p,
760. "<Center><i>Thank you for shopping at BadStore.net!</i></Center>";
761. }
762.  
763. ### Close statement handles ###
764. $sth->finish;
765.  
766. ### Disconnect from the databases ###
767. $dbh->disconnect;
768. }
769. print @footer,
770. end_html();
771. }
772.  
773. ############
774. # About Us #
775. ############
776.  
777. sub aboutus
778. {
779. &printheaders;
780. print @header,
781. start_html('BadStore.net - About Us'),
782. h2("About Us!"), hr, p,
783. img{src=>'../badstore/images/seal.jpg', align=>'RIGHT'},
784. p, "We value your comments, so click here and tell us what you think! ", p,
785. a({-href=>'mailto:spam@badstore.net'}, 'Send us an email!'), " with subject 'Howdy' and whatever you want to say",
786. p,
787. "We may be a small site, but we really care about your on-line security. That's why we undergo a Security Seal certification every few years or so. The Security Seal is a stringent process where we have to fill out filecabinets full of paperwork to illustrate our security process. Believe me, it's alot of work.", p,
788. @footer, end_html();
789. }
790.  
791. ##################
792. # Supplier Login #
793. ##################
794.  
795. sub supplierlogin
796. {
797. &printheaders;
798. print @header, start_html('Supplier Portal Login - BadStore.net'),
799. h1("Welcome Supplier - Please Login:"), hr, p,
800. start_form(-method=>'POST', -action=>'/cgi-bin/badstore.cgi?action=supplierportal'),
801. " Email Address: ", textfield(-name=>'email', -size=>15, -maxlength=>40), p,
802. " Password: ", password_field(-name=>'passwd', -size=>8 -maxlength=>8),p,
803. submit("Login"), end_form,
804. @footer, end_html();
805. }
806.  
807. ###################
808. # Supplier Portal #
809. ###################
810.  
811. sub supplierportal
812. {
813. local($email, $passwd);
814. $email=$query->param('email');
815. $passwd=$query->param('passwd');
816. chomp($email);
817. chomp($passwd);
818. $passwd=md5_hex($passwd);
819.  
820. ### Connect to the SQL Database ###
821. my $dbh = DBI->connect("DBI:mysql:database=badstoredb;host=localhost", "root", "123456",{'RaiseError' => 1})
822. or die "Cannot connect: " . $DBI::errstr;
823.  
824. ### Prepare, Evaluate and Execute SQL Query ###
825. my $sth = $dbh->prepare("SELECT * FROM userdb WHERE email='$email' AND passwd='$passwd' ");
826. eval {
827. $sth->execute();
828. 1;
829. } or do {
830. print "Location: /cgi-bin/badstore.cgi?action=supplierlogin\n\n";
831. };
832.  
833. &printheaders;
834. print @header, start_html("Welcome to the BadStore.net Supplier Portal"),
835. h1("Welcome Supplier"), hr;
836.  
837. if ($sth->rows == 0) {
838. print h2("UserID and Password not found!"),
839. "Use your browser's Back button and try again.";
840. } else {
841. # Login credentials are valid
842. print h2("Upload Price Lists"), p, p, p, h3("Filename on local system: "),
843. start_multipart_form(-method=>'POST', -action=>'/cgi-bin/badstore.cgi?action=supupload', -enctype=>'multipart/form-data'),
844. filefield(-name=>'uploaded_file', -size=>50, -maxlength=>80), br, br,
845. h3("Filename on BadStore.net: "), textfield(-name=>'newfilename', size=>25, -maxlength=>50),
846. submit('Upload'), end_form;
847. }
848. print hr,h2("<B>Coming Soon - Web Services!</B>");
849. ### Close statement handles ###
850. $sth->finish;
851.  
852. ### Disconnect from the databases ###
853. $dbh->disconnect;
854. print @footer, end_html();
855. }
856.  
857. ###################
858. # Supplier Upload #
859. ###################
860.  
861. sub supupload
862. {
863. (local $host);
864. &printheaders;
865. print @header, start_html("BadStore.net - Supplier Upload");
866.  
867. $referer = $ENV{HTTP_REFERER};
868. $host = $ENV{HTTP_HOST};
869.  
870. ### Check for valid referer from Supplier Portal
871. if ($referer and $referer !~ m|^http://$hostname/| ) {
872.  
873. print h1("Upload a file");
874.  
875. $newfilename = $query->param('newfilename');
876. $filename = $query->param('uploaded_file');
877. $filename =~ s/.*[\/\\](.*)/$1/;
878. chomp($filename);
879. $upload_filehandle = $query->upload('uploaded_file');
880. open (OUT, ">../badstore/data/uploads/$newfilename") or die "Can't open $newfilename for appending: $!\n";
881. while (<$upload_filehandle>)
882. {
883. print OUT;
884. }
885. close OUT;
886. print p, h2("Thanks for uploading your new pricing file!"), p,
887. h3("Your file has been uploaded: $newfilename"), p,
888.  
889. } else {
890. ### Invalid referer ###
891. print h1("An Error Has Occurred"),
892. h3("Uploads are only accepted by authenticating to the Supplier Portal!")
893. }
894. end_html();
895. }
896.  
897. ######################
898. # View Cart Contents #
899. ######################
900.  
901. sub cartview
902. {
903. local (@data, $temp, @cookievalue, $price, $id, $items, $cost, $cartitems);
904.  
905. &printheaders;
906. print @header,
907. start_html("BadStore.net - View Cart Contents"),
908. h1("Keep Shopping!"), hr, p;
909.  
910. ### Read CartID Cookie ###
911. $temp=cookie('CartID');
912. @cookievalue=split(":", ("$temp"));
913. $id=shift(@cookievalue);
914. $items=shift(@cookievalue);
915. $cost=shift(@cookievalue);
916. $price='$' . sprintf("%.2f", $cost);
917. $cartitems=join(",", @cookievalue);
918.  
919. ### Check for Empty Cart ###
920. if ($items < "1") {
921. print h2("You have no items in your cart."), p,
922. " Order something already!", p;
923. } else {
924.  
925. ### Connect to the SQL Database ###
926. my $dbh = DBI->connect("DBI:mysql:database=badstoredb;host=localhost", "root", "123456",{'RaiseError' => 1})
927. or die "Cannot connect: " . $DBI::errstr;
928.  
929. print h2("The following items are in your cart:"), p,
930. h3("Cart Contains: $items items at $price"), p;
931.  
932. ### Prepare and Execute SQL Query ###
933. my $sth = $dbh->prepare( "SELECT itemnum, sdesc, ldesc, price FROM itemdb WHERE itemnum IN ($cartitems)")
934. or die "Couldn't prepare statement: " . $dbh->errstr;
935. $sth->execute() or die "Couldn't execute SQL statement: " . $sth->errstr;
936. if ($sth->rows == 0) {
937. die "Item number not found: " . $sth->errstr;
938. } else {
939. ### Read the matching records and print them out ###
940. print start_form( -action=>'/cgi-bin/badstore.cgi?action=submitpayment'),"<TABLE BORDER=1>",
941. Tr( th('ItemNum'),th('Item'),th('Description'),th('Price'),th('Image'),th('Order'));
942. while (@data = $sth->fetchrow_array()) {
943. $image='/badstore/images/' . $data[0] . '.jpg';
944. print Tr( td( \@data ),td({-align=>CENTER},"<IMG SRC=$image>"),td({-align=>CENTER},"<INPUT type=checkbox checked name='cartitem' value=$data[0]>") );
945. }
946. print "</TABLE>\n\n", p, "<Center>", submit('Place Order'), " ", reset(), "</Center>", end_form;
947. }
948. ### Close statement handles ###
949. $sth->finish;
950.  
951. ### Disconnect from the databases ###
952. $dbh->disconnect;
953. }
954. print @footer,
955. end_html();
956. }
957.  
958. #####################
959. ### Print headers ###
960. #####################
961.  
962. sub printheaders
963. {
964. print "Content-type: text/html\n";
965. print "Server: Apache/1.3.20 Sun Cobalt (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6b PHP/4.0.6 mod_auth_pam_external/0.1 FrontPage/4.0.4.3 mod_perl/1.25\n";
966. print "ETag: CPE1704TKS\n";
967. print "Cache-Control: no-cache\n";
968. print "Pragma: no-cache\n\n";
969. }
970.  
971. #####################
972. # Login or Register #
973. #####################
974.  
975. sub loginregister
976. {
977. &printheaders;
978. print @header, start_html('BadStore.net - Register/Login'),
979. h2("Login to Your Account or Register for a New Account"), hr, p,
980. h3("Login to Your Account"),
981. start_form(-method=>'POST', -action=>'/cgi-bin/badstore.cgi?action=login'),
982. "Email Address: ", textfield(-name=>'email', -size=>20, -maxlength=>40), p,
983. "Password: ", password_field(-name=>'passwd', -size=>8 -maxlength=>8),p,
984. submit("Login"), end_form, hr, p,
985. h3("Register for a New Account"),
986. start_form(-method=>'POST', -action=>'/cgi-bin/badstore.cgi?action=register'),
987. "Full Name: ", textfield(-name=>'fullname', -size=>25, -maxlength=>40), p,
988. "Email Address: ", textfield(-name=>'email', -size=>20, -maxlength=>40), p,
989. "Password: ", password_field(-name=>'passwd', -size=>8 -maxlength=>8),p,
990. "Password Hint - What's Your Favorite Color?: ",popup_menu(-name=>'pwdhint',-values=>['green','blue','red','orange','purple','yellow']),p,
991. "<font face=Arial size=2><i>(The Password Hint is used as a security measure to help recover a forgotten password. You will need both your email address and this hint to access your account if you forget your current password.)</i></font>",p,
992. hidden(-name=>'role', -default=>['U']),
993. submit("Register"), end_form, p,
994. @footer, end_html();
995. }
996.  
997. ##############
998. # My Account #
999. ##############
1000.  
1001. sub myaccount
1002. {
1003. local($aquery, $email, $passwd, $pwdhint, $fullname, $role, $newpasswd, $vnewpasswd, $encpasswd);
1004.  
1005. ### Read SSOid Cookie ###
1006. $stemp=cookie('SSOid');
1007. $stemp=decode_base64($stemp);
1008. @s_cookievalue=split(":", ("$stemp"));
1009. $email=shift(@s_cookievalue);
1010. $passwd=shift(@s_cookievalue);
1011. $fullname=shift(@s_cookievalue);
1012. $role=shift(@s_cookievalue);
1013.  
1014. &printheaders;
1015. print @header, start_html(-title=>'BadStore.net - My Account Services',-script=>{language=>'JavaScript',-src=>'../frmvrfy.js'});
1016.  
1017. if ($fullname eq '') {
1018. $fullname="{Unregistered User}";
1019. print h2(' Welcome, as an ',$fullname,' you can:'),p,
1020. "Login To Your Account / Register for A New Account - <A HREF='/cgi-bin/badstore.cgi?action=loginregister'>Click Here</A><BR>", p,
1021. " Reset A Forgotten Password", p,
1022. start_form(-method=>'POST', -action=>'/cgi-bin/badstore.cgi?action=moduser'),
1023. "<font face=Arial size=2> Please enter the email addess and password hint you chose when the account was created:</font>",p,
1024. " Email Address: ", textfield(-name=>'email', -size=>15),p,
1025. " Password Hint - What's Your Favorite Color?: ",popup_menu(-name=>'pwdhint',-values=>['green','blue','red','orange','purple','yellow']),p,
1026. "<font face=Arial size=2><i> (The Password Hint was chosen when you registered for a new account as a security measure to help recover a forgotten password...)</i></font>",p,
1027. submit(-name=>'DoMods',-value=>'Reset User Password'), end_form;
1028.  
1029. } else {
1030. print h2(" Welcome, ",$fullname), hr, p,
1031. "<B> Update your account information: </B>",p,p,
1032. start_form(-method=>'POST', -action=>'/cgi-bin/badstore.cgi?action=moduser', -onSubmit=>'return DoPwdvrfy(this);'),
1033. " Current Full Name: ", $fullname,p,
1034. " New Full Name = ",textfield(-name=>'fullname', -size=>25, -maxlength=>40),p,br,
1035. " Current Email Address: ", $email,p,
1036. " New Email Address = ",textfield(-name=>'newemail', -size=>20, -maxlength=>40),p,br,
1037. " Change Password: ", password_field(-name=>'newpasswd', -size=>8 -maxlength=>8)," Verify: ", password_field(-name=>'vnewpasswd', -size=>8 -maxlength=>8),p,br,
1038. hidden(-name=>'role', -default=>[$role]),
1039. hidden(-name=>'email',-default=>[$email]),
1040. submit(-name=>'DoMods',-value=>'Change Account'), end_form, p;
1041. }
1042. print @footer, end_html();
1043. }
1044.  
1045. ##########################
1046. # Modify User Attributes #
1047. ##########################
1048.  
1049. sub moduser
1050. {
1051. local($aquery, $email, $passwd, $pwdhint, $fullname, $role, $newpasswd, $encpasswd, $vnewpasswd, $newemail);
1052. $aquery=$query->param('DoMods');
1053. $email=$query->param('email');
1054. $passwd=$query->param('passwd');
1055. $pwdhint=$query->param('pwdhint');
1056. $fullname=$query->param('fullname');
1057. $role=$query->param('role');
1058. $vnewpasswd=$query->param('vnewpasswd');
1059. $newemail=$query->param('newemail');
1060. chomp($email);
1061. chomp($passwd);
1062. chomp($pwdhint);
1063. chomp($fullname);
1064. chomp($role);
1065. $newpasswd="Welcome";
1066. $encpasswd=md5_hex($newpasswd);
1067. $vencpasswd=md5_hex($vnewpasswd);
1068. &printheaders;
1069.  
1070. ### Connect to the SQL Database ###
1071. my $dbh = DBI->connect("DBI:mysql:database=badstoredb;host=localhost", "root", "123456",{'RaiseError' => 1})
1072. or die "Cannot connect: " . $DBI::errstr;
1073.  
1074. ### Reset User Password ###
1075. if ($aquery eq 'Reset User Password') {
1076. print @header, start_html('BadStore.net - Reset Password for User');
1077. ### Prepare and Execute SQL Query ###
1078. my $sth=$dbh->prepare("UPDATE userdb SET passwd = '$encpasswd' WHERE email='$email'")
1079. or die "Could not update password: ".$dbh->errstr;
1080. $sth->execute() or die "Couldn't execute SQL statement: ".$sth->errstr;
1081.  
1082. print h2('The password for user: ', $email,p, ' ...has been reset to: ',$newpasswd),
1083.  
1084. }elsif ($aquery eq 'Add User'){
1085. print @header, start_html('BadStore.net - Add User');
1086. $dbh->do("INSERT INTO userdb (email, passwd, pwdhint, fullname, role) VALUES ('$email','$encpasswd','$pwdhint', '$fullname', '$role')")
1087. or die "Couldn't prepare SQL statement for Registration: " . $dbh->errstr;
1088. print h2("User: ",$fullname," has been added.");
1089.  
1090. }elsif ($aquery eq 'Delete User'){
1091. print @header, start_html('BadStore.net - Delete User');
1092. $dbh->do("DELETE FROM userdb WHERE email='$email'")
1093. or die "Couldn't prepare SQL statement for Registration: " . $dbh->errstr;
1094. print h2("User: ",$email," has been deleted.");
1095.  
1096. ### Change Account Information ###
1097. }elsif ($aquery eq 'Change Account'){
1098. print @header, start_html('BadStore.net - Update User Information');
1099. $dbh->do("UPDATE userdb SET fullname='$fullname' WHERE email='$email'")
1100. or die "Couldn't prepare SQL statement: " .$dbh->errstr;
1101. $dbh->do("UPDATE userdb SET passwd='$vencpasswd' WHERE email='$email'")
1102. or die "Couldn't prepare SQL statement: " .$dbh->errstr;
1103. $dbh->do("UPDATE userdb SET email='$newemail' WHERE email='$email'")
1104. or die "Couldn't prepare SQL statement: " .$dbh->errstr;
1105. print h2(" Account Information for: "),
1106. " Full Name: ",$fullname,p," Email: ",$newemail,p," Password: ",$vnewpasswd,p,
1107. h3(" Has been updated!");
1108. }
1109. print @footer, end_html();
1110.  
1111. ### Disconnect from the databases ###
1112. $dbh->disconnect;
1113. }
1114.  
1115. #############
1116. # Auth User #
1117. #############
1118.  
1119. sub authuser
1120. {
1121. local(@data, $email, $passwd, $pwdhint,$fullname, $role);
1122. $email=$query->param('email');
1123. $passwd=$query->param('passwd');
1124. $pwdhint=$query->param('pwdhint');
1125. $fullname=$query->param('fullname');
1126. $role=$query->param('role');
1127. chomp($email);
1128. chomp($passwd);
1129. chomp($pwdhint);
1130. chomp($fullname);
1131. chomp($role);
1132. $passwd=md5_hex($passwd);
1133.  
1134. ### Connect to the SQL Database ###
1135. my $dbh = DBI->connect("DBI:mysql:database=badstoredb;host=localhost", "root", "123456",{'RaiseError' => 1})
1136. or die "Cannot connect: " . $DBI::errstr;
1137.  
1138. ### Logging into existing account ###
1139. if ($query->url_param('action') eq 'login') {
1140.  
1141. ### Prepare and Execute SQL Query to Verify Credentials ###
1142. my $sth = $dbh->prepare("SELECT * FROM userdb WHERE email='$email' AND passwd='$passwd'")
1143. or die "Couldn't prepare statement: " . $dbh->errstr;
1144. $sth->execute() or die "Couldn't execute SQL statement: " . $sth->errstr;
1145.  
1146. if ($sth->rows == 0) {
1147. &printheaders;
1148. print @header,
1149. start_html("BadStore.net - Login Error"),
1150. h2("UserID and Password not found!"),
1151. "Use your browser's Back button and try again.",
1152. @footer, end_html();
1153. exit;
1154. } else {
1155. ### Login credentials are valid ###
1156.  
1157. @data=$sth->fetchrow_array();
1158. $fullname=$data[3];
1159. $role=$data[4];
1160.  
1161. ### Close statement handles ###
1162. $sth->finish;
1163. }
1164. } else {
1165.  
1166. ### Register for a new account as a normal user ###
1167. ### Add ordered items to Order Database ###
1168. $dbh->do("INSERT INTO userdb (email, passwd, pwdhint, fullname, role) VALUES ('$email', '$passwd','$pwdhint', '$fullname', '$role')")
1169. or die "Couldn't prepare SQL statement for Registration: " . $dbh->errstr;
1170. }
1171.  
1172. ### Set SSO Cookie ###
1173. $cookievalue=join(":", ($email, $passwd, $fullname, $role));
1174. $cookievalue=encode_base64($cookievalue);
1175. $cartcookie=cookie( -name=>'SSOid', -value=>$cookievalue, -path=>'/');
1176. print "Set-Cookie: $cartcookie\n";
1177.  
1178. ### Disconnect from the databases ###
1179. $dbh->disconnect;
1180. &home;
1181. }