Ross wrote:
first how do I check two tables is it?
$sql = "SELECT * FROM mytable, mytable2 WHERE username = '$username' AND
userpass = '$userpass'";
That depends on what you are trying to achieve. Your example makes no
sense at all. What are you trying to get from each table? How are they
linked? etc! However, since this is a PHP list I suggest you try
Googling for an introductory SQL tutorial or a SQL mailing list.
Secondly my table just sends and returns straight values from the db but I
expect some kind of encription is required. What is a simple, secure method.
md5() or another method. Do I store an encypted file on the server and just
decrypt it at the php page.
my auth script at present
<?php
session_start();
$auth = false; // Assume user is not authenticated
$username= $_REQUEST['username'];
$userpass= $_REQUEST['userpass'];
if (isset($username) && isset($userpass)) {
$sql = "SELECT * FROM mytable WHERE
username = '$username' AND
userpass = '$userpass'";
// Execute the query and put results in $result
$result = mysql_query( $sql )
or die ( 'Unable to execute query.' );
// Get number of rows in $result.
$num_rows = mysql_num_rows($result);
if($num_rows == 0) {
}
else {
$_SESSION['username']= $username;
$_SESSION['userpass']= $userpass;
header("Location: disclaimer.php");
$auth = true;
}
}
If that's your login script you have bigger problems than securing the
passwords in the database. There is no escaping applied to the username
and password you get from the browser - this is a massive security hole.
See http://php.net/mysql_real_escape_string about that one.
As far as securing the password goes, the most common approach is to
store the MD5 hash in the DB. What you want is something like this...
<?php
session_start();
$auth = false; // Assume user is not authenticated
$username = $_REQUEST['username'];
$userpass = $_REQUEST['userpass'];
if (!empty($username) && !empty($userpass))
{
$sql = "SELECT * FROM mytable WHERE
username = '".mysql_real_escape_string($username)."' AND
userpass = md5('".mysql_real_escape_string($userpass)."')";
// Execute the query and put results in $result
$result = mysql_query( $sql )
or die ( 'Unable to execute query.' );
// Get number of rows in $result.
if (mysql_num_rows($result) == 0)
{
// Login failed, blah blah blah
}
else
{
$_SESSION['username']= $username;
$_SESSION['userpass']= $userpass;
header("Location: disclaimer.php");
$auth = true;
}
}
?>
-Stut
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
