From: Ron Piggott on 18 Feb 2010 16:40 I am wondering what others do for a login query. I think there could be two results: correct e-mail & password; correct e-mail & wrong password So far my login query is: SELECT * FROM `member` WHERE `email` = '$my_email' AND `pass` LIKE BINARY '$my_password' LIMIT 1 This wouldn't tell me if the user has the wrong password. Is there a better way to do this? Ron
From: Bastien Koert on 18 Feb 2010 16:49 On Thu, Feb 18, 2010 at 4:40 PM, Ron Piggott <ron.php(a)actsministries.org> wrote: > I am wondering what others do for a login query. I think there could be > two results: correct e-mail & password; correct e-mail & wrong password > > So far my login query is: > > SELECT * FROM `member` WHERE `email` = '$my_email' AND `pass` LIKE > BINARY '$my_password' LIMIT 1 > > This wouldn't tell me if the user has the wrong password. Is there a > better way to do this? > > Ron > > > > bad bad bad! never do a like on a password. If there are two passwords that are close, the unauthorized user might get in when they shouldn't. There are two usual approaches: 1. Select the user (providing that the user is distinct) and compare the password in PHP. On a match, allow access. 2. Select the user and password and see if the results return a row. If no row is returned, then access is not granted. If there is a row, then access is granted. HTH -- Bastien Cat, the other other white meat
From: nagendra prasad on 18 Feb 2010 16:57 Buddy, you are talking about to check if the password is wrong or not. Usually in the login query you check both the user name or email in your case and the password. If you just check the password it will become very easy to hack any user account.
From: Chris on 18 Feb 2010 16:59 Bastien Koert wrote: > On Thu, Feb 18, 2010 at 4:40 PM, Ron Piggott <ron.php(a)actsministries.org> wrote: >> I am wondering what others do for a login query. I think there could be >> two results: correct e-mail & password; correct e-mail & wrong password >> >> So far my login query is: >> >> SELECT * FROM `member` WHERE `email` = '$my_email' AND `pass` LIKE >> BINARY '$my_password' LIMIT 1 >> >> This wouldn't tell me if the user has the wrong password. Is there a >> better way to do this? >> >> Ron >> >> >> >> > > bad bad bad! never do a like on a password. If there are two passwords > that are close, the unauthorized user might get in when they > shouldn't. > > There are two usual approaches: > 1. Select the user (providing that the user is distinct) and compare > the password in PHP. On a match, allow access. > 2. Select the user and password and see if the results return a row. > If no row is returned, then access is not granted. If there is a row, > then access is granted. I'd also suggest that you don't distinguish between a correct username but wrong password and a correct username and right password. If you say "You got the right username but wrong password", a bad guy now has a point of attack .. If you say "your username or password are incorrect" you don't get that. Check gmail or yahoo or even sourceforge for how they word such attempts. -- Postgresql & php tutorials http://www.designmagick.com/
|
Pages: 1 Prev: Using mssql serial command in PHP 5.3 Next: mysql_close() |