On Tue, August 15, 2006 5:37 am, Ross wrote:
> I have a couple of questions
>
> first how do I check two tables is it?
You probably should not have 2 tables at all.
Both username and password would normally be stored in a single record
in the same table
CREATE TABLE user (
user_id int(11) auto_increment unique not null primary key,
username text,
password text
);
/* You'd probably have other fields like name, address, email, etc */
> $sql = "SELECT * FROM mytable, mytable2 WHERE username = '$username'
> AND
> userpass = '$userpass'";
So it would just be:
FROM user WHERE username = '$username' AND password = '$userpass'
Second, SELECT * is Evil, for various reasons. You can Google and
find the debates about it.
> Secondly my table just sends and returns straight values from the db
> but I
> expect some kind of encription is required. What is a simple, secure
> method.
> md5() or another method. Do I store an encypted file on the server and
> just
> decrypt it at the php page.
You never ever ever actually decrypt it.
"But wait", you way, "how can that work?!"
It's quite simple, really.
The whole purpose of a one-way encryption is that you only store the
ENCRYPTED result.
Later, the user then has to put in the correct password, and you
one-way encrypt that, and you compare the ENCRYPTED values.
Either the encrypted values match, or the password is wrong.
You can almost think of the ENCRYPTED value as being like a "lock" to
which there is only one "key" that fits -- the password.
To test if the key fits the lock, you don't make another copy of the
key -- You just encrypt it, and see if it matches the shape of the
lock.
MD5 would be a perfectly reasonable one-way encryption scheme.
So if the password was 'foo', then your MD5-encrypted value would be:
acbd18db4cc2f85cedef654fccc4a4d8
Your database would have 'acbd18db4cc2f85cedef654fccc4a4d8' stored in it.
When they login, you do:
SELECT user_id, username
FROM user
WHERE username = '$username'
AND password = md5('$userpass')
Either the MD5 of their input ('foo') is the correct value you have
stored: acbd18db4cc2f85cedef654fccc4a4d8 or they have the wrong
password/key, and you should not let them in.
> <?php
> session_start();
> $auth = false; // Assume user is not authenticated
> $username= $_REQUEST['username'];
> $userpass= $_REQUEST['userpass'];
> if (isset($username) && isset($userpass)) {
> $sql = "SELECT * FROM mytable WHERE
> username = '$username' AND
> userpass = '$userpass'";
Yikes!
You REALLY need to read about SQL-injection here:
http://phpsec.org/
and start using this function:
http://php.net/mysql_real_escape_string
Also, your $username and $userpass should be constrained at all times
to very specific validation rules.
Can't be blank.
Must be at least X characters. (you pick a nice X)
Passwords should probably contain at least one non-alpha character.
> // Execute the query and put results in $result
> $result = mysql_query( $sql )
> or die ( 'Unable to execute query.' );
or die() is a great simple way to demonstrate the basics of code.
It's not something you would really really want to use on a production
server, unless you are 100% sure that you've turned off display-errors
and are logging your errors and you have a process in place to examine
the logs...
Something like http://php.net/set_error_handler and
http://php.net/trigger_error would be more appropriate for "real"
code.
> // Get number of rows in $result.
> $num_rows = mysql_num_rows($result);
> if($num_rows == 0) {
>
> }
> else {
> $_SESSION['username']= $username;
> $_SESSION['userpass']= $userpass;
> header("Location: disclaimer.php");
Instead of a header("Location:") which has some issues involved, you
could just do:
require 'disclaimer.php';
exit;
>
> $auth = true;
This doesn't do anything, at least not with your current code, nor
with anything I've suggested here...
> }
> }
--
Like Music?
http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
