Carl Furst wrote:
The basic model for password authentication is to use one way crypt
routines. MySql has several, PHP also has them. The basic algorithm
would be like this:
1) read the password from the form.
2) read the password from you datastore that matches the user name or
session
3) encrypt the password on the form.
4) do a string comparison between the database data and the encrypted
password from the form.
Read the password on the form.
Encrypt the password on the form using same salt and algorythm you use
to generate the hash.
Then -
$sql = "SELECT id FROM userdb WHERE user='$user' AND pass='$pass'";
If your query returns a result, you now have a user id to store in the
session. Otherwise, the login fails.
No need to read from the database and do a string compare.
Of course you need to watch out for injection when doing it that way,
but that's what prepared statements are for.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
