Re: Login query

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Bastien Koert wrote:
On Thu, Feb 18, 2010 at 4:40 PM, Ron Piggott <ron.php@xxxxxxxxxxxxxxxxxx> wrote:
I am wondering what others do for a login query.  I think there could be
two results: correct e-mail & password; correct e-mail & wrong password

So far my login query is:

SELECT * FROM `member` WHERE `email` = '$my_email' AND `pass` LIKE
BINARY '$my_password' LIMIT 1

This wouldn't tell me if the user has the wrong password.  Is there a
better way to do this?

Ron





bad bad bad! never do a like on a password. If there are two passwords
that are close, the unauthorized user might get in when they
shouldn't.

There are two usual approaches:
1. Select the user (providing that the user is distinct) and compare
the password in PHP. On a match, allow access.
2. Select the user and password and see if the results return a row.
If no row is returned, then access is not granted. If there is a row,
then access is granted.

I'd also suggest that you don't distinguish between a correct username but wrong password and a correct username and right password.

If you say "You got the right username but wrong password", a bad guy now has a point of attack .. If you say "your username or password are incorrect" you don't get that.

Check gmail or yahoo or even sourceforge for how they word such attempts.

--
Postgresql & php tutorials
http://www.designmagick.com/


--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux