Re: Is this the best way?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On Mar 14, 2008, at 1:44 PM, TG wrote:


What error are you getting?  Maybe there's some way to fix that too.

The error I get without checking the row count is this:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'order by LName' at line 1


Just remember that errors and notices are like pain.  It usually means
there's something wrong. If you're getting an error, there may be a better
way of doing waht you're doing.

Ideally, you should get zero results if there's no match in the user database.

Typically for a user lookup, you might do something like this:

SELECT <whatever> FROM usertable WHERE username = '<username>' AND password =
'<password>'

Which is very simular to what I have:

$loginQuery = "SELECT * FROM current WHERE loginName='".$user."' AND loginPassword='".$password."' LIMIT 0,1;"; $loginResult = mysqli_query($link1, $loginQuery) or die("Wrong data supplied or database error" .mysqli_error($link1));



If you get zero results, then they don't exist OR they entered the wrong
password.

If you get more than one result, then you have a duplicate account.

If you have duplicate usernames, then you won't get multiple matches unless
the passwords are also duplicated.

Say, for example, you have a duplicated username but different passwords:

user: me
pass: pass1

user: me
pass: pass2


Then login will succeed if they use me/pass1 OR me/pass2 but each way,
you'll still only get one result from your db query.


btw.. before someone rails me for not mentioning security... typically you'd store the passwords encrypted or hashed (one-way md5 or something) then you
encrypt or hash the password the same when the user is logging in and
compare them to the DB.  That way, you don't store the password in
plaintext and you can still check to see if the right password is entered.

Which I have complete with some $salt added :)



example:

user: me
pass: pass1
md5(pass1): laksro2i3    (fake md5.. lazy :)

user logs in with:

user: me
pass: pass1

system runs md5(pass1) and gets laksro2i3 again. it matches what's in the
DB, so therefore is the correct password.


Anyway.. main point is.. if you're getting errors, try to fix them. If
you're getting multiple results on your user check, you may have bad
input/uniqueness checking or you may be implementing your user system not
as logically as you could.

It was the error, rather then multiple accounts that I'm checking for. I'm not advanced enough in my programming ability to implement a true multi user envriomnent where user1/pass1 is different from user1/ pass2 :)




-TG


----- Original Message -----
From: Jason Pruim <japruim@xxxxxxxxxx>
To: "TG" <tg-php@xxxxxxxxxxxxxxxxxxxxxx>
Cc: "PHP General List" <php-general@xxxxxxxxxxxxx>
Date: Fri, 14 Mar 2008 13:00:11 -0400

On Mar 14, 2008, at 12:51 PM, TG wrote:

The username's will be unique... Still need to make that change to the
DB but they will be.

The main reason I'm doing it this way, is if I don't put in some kind
of a check on the authentication then it pops up a mysql error saying
that there is a problem with my syntax... instead of NOT logging them
in... So I thought if I checked to make sure that the query only
returned 1 row, it would match up and I could do some error checking
based on that...


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



--

Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424-9337
www.raoset.com
japruim@xxxxxxxxxx




--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux