RE: MySQL Security w/ PHP

Sun, 28 Oct 2001 14:52:15 -0800 

Have you tried something like

SELECT User,Password from user where (User=$ID AND Password($PW)=password);

ie. equate the result of password("string") to the stored, encrypted,
password

Regards

Quentin

-----Original Message-----
From: Kevin Maynard [mailto:[EMAIL PROTECTED]]
Sent: Monday, 29 October 2001 11:52 a.m.
To: [EMAIL PROTECTED]
Subject: MySQL Security w/ PHP


I have been building an extensive dB with MySQL for a large Insurance 
Company and am nearing the completion stage.  I have build several PHP 
forms to show the preliminary pages to the various groups who will be 
using this dB.

I have created the sign-in page where each user has types in their ID 
and PW.  From then on each query uses those variables for credentials.  
To avoid duplication, I would like to use the USER form from the MySQL 
dB.  Since that uses the Password("PW") function, I can't seem to get my 
validation query to work properly.  For example:

SELECT User,Password from user where (User=$ID AND Password=$PW);

Result: Empty Set.

SELECT User,Password from user where (User=$ID AND Password($PW));

Result: Will match User only, will accept ANY PW.

Does anyone know how to properly check off the PW from the User table in 
the MySQL db?

Thanks,

Kevin


---------------------------------------------------------------------
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/           (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail
<[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

The information contained in this email is privileged and confidential
and intended for the addressee only. If you are not the intended 
recipient, you are asked to respect that confidentiality and not 
disclose, copy or make use of its contents. If received in error 
you are asked to destroy this email and contact the sender immediately. 
Your assistance is appreciated.

---------------------------------------------------------------------
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/           (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Reply via email to