Re: [PHP] login script

Tue, 15 Aug 2006 03:51:11 -0700 

Ross wrote:

first how do I check two tables is it?
$sql = "SELECT * FROM mytable, mytable2 WHERE username = '$username' AND userpass = '$userpass'";
That depends on what you are trying to achieve. Your example makes no sense at all. What are you trying to get from each table? How are they linked? etc! However, since this is a PHP list I suggest you try Googling for an introductory SQL tutorial or a SQL mailing list.
Secondly my table just sends and returns straight values from the db but I expect some kind of encription is required. What is a simple, secure method. md5() or another method. Do I store an encypted file on the server and just decrypt it at the php page. 

my auth script at present

<?php
session_start();
$auth = false; // Assume user is not authenticated
$username= $_REQUEST['username'];
$userpass= $_REQUEST['userpass'];
if (isset($username) && isset($userpass)) {
 $sql = "SELECT * FROM mytable WHERE
            username = '$username' AND
            userpass = '$userpass'";
// Execute the query and put results in $result
$result = mysql_query( $sql )
        or die ( 'Unable to execute query.' );
// Get number of rows in $result.
 $num_rows = mysql_num_rows($result);
 if($num_rows == 0) {

 }
else {
  $_SESSION['username']= $username;
  $_SESSION['userpass']= $userpass;
   header("Location: disclaimer.php");

        $auth = true;
}
    }
If that's your login script you have bigger problems than securing the passwords in the database. There is no escaping applied to the username and password you get from the browser - this is a massive security hole. See http://php.net/mysql_real_escape_string about that one.
As far as securing the password goes, the most common approach is to store the MD5 hash in the DB. What you want is something like this... 

<?php
        session_start();
        $auth = false; // Assume user is not authenticated
        $username = $_REQUEST['username'];
        $userpass = $_REQUEST['userpass'];
        if (!empty($username) && !empty($userpass))
        {
                $sql = "SELECT * FROM mytable WHERE
                                username = 
'".mysql_real_escape_string($username)."' AND
                                userpass = 
md5('".mysql_real_escape_string($userpass)."')";
                // Execute the query and put results in $result
                $result = mysql_query( $sql )
                                or die ( 'Unable to execute query.' );
                // Get number of rows in $result.
                if (mysql_num_rows($result) == 0)
                {
                        // Login failed, blah blah blah
                }
                else
                {
                        $_SESSION['username']= $username;
                        $_SESSION['userpass']= $userpass;
                        header("Location: disclaimer.php");

                        $auth = true;
                }
        }
?>

-Stut

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to