2

Me and my friend are bored, so we decided to do a bit of coding in BATCH and we made a basic login script. Basically, when you enter "Jack" as the user, it asks for a password and if you enter "Pass", it says incorrect even though it shouldn't. The strange thing is if you type the incorrect password it says its correct.

Here is my code

@echo off
color 2
:A
cls
echo Welcome, Please Log In
set /p user=Please Enter A Username:
IF "%user%"=="Jack" (
    set /p pass=Please Enter A Password:
    IF "%pass%"=="Pass" (
        goto :B
    ) ELSE (
        echo Password Incorrect
        ping 192.0.2.2 -n 1 -w 2000 > nul
        goto :A
    )
) ELSE (
    echo Username Incorrect
    ping 192.0.2.2 -n 1 -w 2000 > nul
    goto :A
)
:B
cls
echo Hello %user%
:C
set /p cmd="%user%> "
if "%cmd%"=="exit" (
    goto :EXIT
) ELSE (
    echo Invalid Command.
    goto :C
)
:EXIT
exit
Gray
  • 7,050
  • 2
  • 29
  • 52
Jack Price-Burns
  • 178
  • 2
  • 13
  • 3
    Something unrelated you guys might want to look into: [Masking input text for a password](http://stackoverflow.com/questions/664957/can-i-mask-an-input-text-in-a-bat-file) – Gray Nov 05 '13 at 20:12

3 Answers3

4

The problem is the expansion of %pass% in the line IF "%pass%"=="Pass" (.
This fails, as percent expansion occours when a complete block is parsed, before even one line is executed.

Therefor exists a mode called delayed expansion, which will be expand just in the the moment of execution.

@echo off
setlocal EnableDelayedExpansion
...
IF "%user%"=="Jack" (
    set /p pass=Please Enter A Password:
    IF "!pass!"=="Pass" (
jeb
  • 78,592
  • 17
  • 171
  • 225
  • 1
    Thanks for pointing out the error with my answer - I definitely confused myself somehow. Weird side question - Maybe it is a non-issue, but code like this is vulnerable to injection. ex, for a username, you can input: `1"=="1" ( goto B & rem `, to bypass the login. For this example, it is trivial, but is there a way to prevent this with batch files? Or is it a moot point since you can always edit the code anyway? – Gray Nov 05 '13 at 20:52
  • @Gray, are you SURE this is what will happen on Windows? In bash etc., tokenization and variable expansion proceed in such order that there's no danger of this: the embedded quote will simply be part of the value. I'm not sitting at a Windows box so I can't check atm, but you should. – alexis Nov 05 '13 at 21:00
  • 1
    @Gray Good question, but it's also solved by the delayed expansion, as delayed expansion is safe against any content. The only problem are the command line parameters, as they need to be expanded with `%1`, but even there exists a solution [How to receive even the strangest command line parameters?](http://stackoverflow.com/q/4200316/463115) – jeb Nov 05 '13 at 21:02
  • @alexis Yes, it's a problem, as percent expansion in batch files is absolutely _unsafe_ – jeb Nov 05 '13 at 21:04
  • @jeb Oh ok, awesome. I didn't know that. I tried it with the username (still using percent expansion) and it was vulnerable- changed it to `!`s, and it worked properly. Thanks again. – Gray Nov 05 '13 at 21:04
2

Delayed Expansion is needed

see setlocal /? for the EnableDelayedExpansion flag.

Community
  • 1
  • 1
David Ruhmann
  • 11,064
  • 4
  • 37
  • 47
0

Okay I don't know what any of that EnableDelayedExpansion stuff is but I manages to fix it instead of putting an if statement inside of an if statement I did this

title Some OS 1.0v
@echo off
color 2
:A
cls
echo Welcome, Please Log In
set /p user="Please Enter A Username: "
IF "%user%"=="Jack" (
    set /p pass="Please Enter A Password: "
    goto CheckPass
) ELSE (
    echo Username Incorrect
    ping 192.0.2.2 -n 1 -w 2000 > nul
    goto A
)
:CheckPass
IF "%pass%"=="Pass" (
    goto B
) ELSE (
    echo Password Incorrect
    ping 192.0.2.2 -n 1 -w 2000 > nul
    goto A
)
:B
cls
echo Hello %user%
:C
set /p cmd="%user%> "
if "%cmd%"=="exit" (
    goto EXIT
) ELSE (
    goto cmd
)
:cmd
if "%cmd%"=="cmd" (
    echo cmd : Shows list of commands
    echo exit : Exits the program
    goto C
) ELSE (
    echo Invalid Command, For list of commands type "cmd".
    goto C
)
:EXIT
exit
Jack Price-Burns
  • 178
  • 2
  • 13
  • And now enter at the user prompt `"=="" goto :B,`. You should read about delayed expansion, like David Ruhmann mentioned – jeb Nov 05 '13 at 21:15