Bastien Koert wrote:
On Thu, Feb 18, 2010 at 4:40 PM, Ron Piggott <ron.php@xxxxxxxxxxxxxxxxxx> wrote:
I am wondering what others do for a login query. I think there could be
two results: correct e-mail & password; correct e-mail & wrong password
So far my login query is:
SELECT * FROM `member` WHERE `email` = '$my_email' AND `pass` LIKE
BINARY '$my_password' LIMIT 1
This wouldn't tell me if the user has the wrong password. Is there a
better way to do this?
Ron
bad bad bad! never do a like on a password. If there are two passwords
that are close, the unauthorized user might get in when they
shouldn't.
There are two usual approaches:
1. Select the user (providing that the user is distinct) and compare
the password in PHP. On a match, allow access.
2. Select the user and password and see if the results return a row.
If no row is returned, then access is not granted. If there is a row,
then access is granted.
I'd also suggest that you don't distinguish between a correct username
but wrong password and a correct username and right password.
If you say "You got the right username but wrong password", a bad guy
now has a point of attack .. If you say "your username or password are
incorrect" you don't get that.
Check gmail or yahoo or even sourceforge for how they word such attempts.
--
Postgresql & php tutorials
http://www.designmagick.com/
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
