Re: MySQL Security w/ PHP

Sun, 28 Oct 2001 14:59:08 -0800 

Hi!

On Oct 28, Kevin Maynard wrote:
> I have been building an extensive dB with MySQL for a large Insurance 
> Company and am nearing the completion stage.  I have build several PHP 
> forms to show the preliminary pages to the various groups who will be 
> using this dB.
> 
> I have created the sign-in page where each user has types in their ID 
> and PW.  From then on each query uses those variables for credentials.  
> To avoid duplication, I would like to use the USER form from the MySQL 
> dB.

You shouldn't do it.
These table is used by mysql server internally,
and shouldn't be accessed directly.
To modify this user table one should use GRANT and REVOKE statements.
To read it - SHOW GRANTS.

(actually, it can be accessed directly, but ONLY if you're know
what you're doing. It looks like you aren't)

> Since that uses the Password("PW") function, I can't seem to get my 
> validation query to work properly.  For example:
> 
> SELECT User,Password from user where (User=$ID AND Password=$PW);
> 
> Result: Empty Set.
> 
> SELECT User,Password from user where (User=$ID AND Password($PW));
> 
> Result: Will match User only, will accept ANY PW.

SELECT User,Password from user where (User=$ID AND Password=PASSWORD($PW));

> Does anyone know how to properly check off the PW from the User table in 
> the MySQL db?

The proper way is not to use system tables, and mysql db in general.
Create your own database, and User table in it.
And, the last, you'd better use MD5() instead of PASSWORD().

Regards,
Sergei

-- 
MySQL Development Team
   __  ___     ___ ____  __
  /  |/  /_ __/ __/ __ \/ /   Sergei Golubchik <[EMAIL PROTECTED]>
 / /|_/ / // /\ \/ /_/ / /__  MySQL AB, http://www.mysql.com/
/_/  /_/\_, /___/\___\_\___/  Osnabrueck, Germany
       <___/

---------------------------------------------------------------------
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/           (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Reply via email to