I'm not sure I understand your needs thoroughly, but.... Why not simply do a query something like select username from mytable where username ='xxx' AND password='xxx' AND access_flag = "Yes" -- guessing on your values here
If you get a row back, then the username/password is valid. If no rows are returned, then the username/password is invalid. But more importantly, you have NEVER retrieved the password from the database, which improves security by some degrees. As an added security bonus, encrypt the password before sending it to the server, and store encrypted passwords in the database. Again for security, I would never indicate WHY the login attempt failed. If you indicate only the password failed, then an attacker would know when they had a correct username. Of course, there's LOTs of different ways of doing this, and a bunch of it depends on the needs/requirements of your application. But anytime I've worked with Login routines, the rule of thumb is to not give away any more information than needed. Some thoughts.. hope they help a little :) Shawn On Monday 24 October 2005 09:45, Cirez Communications, inc. wrote: > Hi Gang, > I am trying to write a series of functions in PL/PGSQL to handle among > other things user login. The way the application is written right now, > when the user provides a username/password pair, the program retrieves > the user_name, password, access_flag, etc... If the user/pass combo > supplied matches the one on the table, then the login process goes > through. If on the other hand only the user name is valid, a message > is displayed to let the user know the login failed as well as > initializing a login attempt counter (invisible to the user). If booth > user/pass are invalid, then a simple error messahe is displayed. I was > thinking it would make more sense to write a function to return only > the columns that would be used in any instance, rather than returning > everything and having the program do the checking--to be honest, I am > not sure which way is more cost effective. Anyways, here is the > pseudo-code for one of these functions... > > CREATE OR REPLACE FUNCTION userlogin(username varchar, password > varchar) RETURNS TYPE_TYPE AS $RETURN_TYPE$ > DECLARE > name TYPE_TYPE; > BEGIN > SELECT INTO name (tusername, tpassword, taccessflag) FROM table_name > WHERE (tusername=username); > IF ((name.tusername == username) && (name.tpassword == password)) THEN > RETURN name; > ELSE IF ((name.tusername == username) && (name.tpassword != password)) > THEN RETURN (name.tusername, name.taccessflag); > ELSE > RETURN NULL; > END IF; > END; > $RETURN_TYPE$ language plpgsql; > > -- > =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= > -------------------Cirez Communications, inc.---------------- > ----------------------Juan Alberto Cirez--------------------- > -----------------------Senior Consultant--------------------- > [EMAIL PROTECTED] > =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= > Sunny and Beautiful Vancouver, Canada. > =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= > > _______________________________________________ > clug-talk mailing list > [email protected] > http://clug.ca/mailman/listinfo/clug-talk_clug.ca > Mailing List Guidelines (http://clug.ca/ml_guidelines.php) > **Please remove these lines when replying
pgpfnmPKwfbwr.pgp
Description: PGP signature
_______________________________________________ clug-talk mailing list [email protected] http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
