Login query
--=-wY918yGfd+f9o5SPbOTT
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
I am wondering what others do for a login query. I think there could be
two results: correct e-mail & password; correct e-mail & wrong password
So far my login query is:
SELECT * FROM `member` WHERE `email` = '$my_email' AND `pass` LIKE
BINARY '$my_password' LIMIT 1
This wouldn't tell me if the user has the wrong password. Is there a
better way to do this?
Ron
--=-wY918yGfd+f9o5SPbOTT--
Re: Login query
On Thu, Feb 18, 2010 at 4:40 PM, Ron Piggott <ron.php [at] actsministries.org> w=
rote:
> I am wondering what others do for a login query. =A0I think there could b=
e
> two results: correct e-mail & password; correct e-mail & wrong password
>
> So far my login query is:
>
> SELECT * FROM `member` WHERE `email` =3D '$my_email' AND `pass` LIKE
> BINARY '$my_password' LIMIT 1
>
> This wouldn't tell me if the user has the wrong password. =A0Is there a
> better way to do this?
>
> Ron
>
>
>
>
bad bad bad! never do a like on a password. If there are two passwords
that are close, the unauthorized user might get in when they
shouldn't.
There are two usual approaches:
1. Select the user (providing that the user is distinct) and compare
the password in PHP. On a match, allow access.
2. Select the user and password and see if the results return a row.
If no row is returned, then access is not granted. If there is a row,
then access is granted.
HTH
--
Bastien
Cat, the other other white meat
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: Login query
--000e0cd509c627fb68047fe71045
Content-Type: text/plain; charset=ISO-8859-1
Buddy, you are talking about to check if the password is wrong or not.
Usually in the login query you check both the user name or email in your
case and the password. If you just check the password it will become very
easy to hack any user account.
--000e0cd509c627fb68047fe71045--
Re: Login query
Bastien Koert wrote:
> On Thu, Feb 18, 2010 at 4:40 PM, Ron Piggott <ron.php [at] actsministries.org> wrote:
>> I am wondering what others do for a login query. I think there could be
>> two results: correct e-mail & password; correct e-mail & wrong password
>>
>> So far my login query is:
>>
>> SELECT * FROM `member` WHERE `email` = '$my_email' AND `pass` LIKE
>> BINARY '$my_password' LIMIT 1
>>
>> This wouldn't tell me if the user has the wrong password. Is there a
>> better way to do this?
>>
>> Ron
>>
>>
>>
>>
>
> bad bad bad! never do a like on a password. If there are two passwords
> that are close, the unauthorized user might get in when they
> shouldn't.
>
> There are two usual approaches:
> 1. Select the user (providing that the user is distinct) and compare
> the password in PHP. On a match, allow access.
> 2. Select the user and password and see if the results return a row.
> If no row is returned, then access is not granted. If there is a row,
> then access is granted.
I'd also suggest that you don't distinguish between a correct username
but wrong password and a correct username and right password.
If you say "You got the right username but wrong password", a bad guy
now has a point of attack .. If you say "your username or password are
incorrect" you don't get that.
Check gmail or yahoo or even sourceforge for how they word such attempts.
--
Postgresql & php tutorials
http://www.designmagick.com/
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
