RE: [PHP-DB] authenticating users with php&mysql

[Bastien Koert]

That is incrediably risky since you are exposing the entire db for those 
users. What about setting [limited] permissions for those users?

I woul move to a table based authentication, where you have a users table 
and one [or more] mysql accounts with the bare minimum privileges to allow 
the user to run the application. The below table structure could be the bare 
minimum.

CREATE TABLE `users` (
 `user_id` int(10) NOT NULL auto_increment,
 `user_name` varchar(50) NOT NULL default '',
 `user_password` varchar(50) NOT NULL default '',
 PRIMARY KEY  (`user_id`)
) TYPE=MyISAM AUTO_INCREMENT=1 ;
Then your code would besomething like this: (note there should be way more 
validation of the username and password before attempting to execute the 
query)

<html>
   <head><title>MySQL 
Connection</title></head>
      <body>
         <div align="centre">
            <form action="<?php echo $_SERVER[PHP_SELF];?>" 
method="POST">
               Name: <input type="text" name="txt_name"> 
               Password: <input type="password" 
name="txt_password"> 
               <br /><input type="submit" value="Submit">
         </div>
            </form>
       </body>
</html>
<?php

   $user_name = @$_POST['txt_name'];
   $user_pass = @$_POST['txt_password'];
   if ((trim($user_name) = "")&&(trim($user_pass) = ""))
   {
     echo "User not authorized. HIt the back button to login again";
     die();
   }//end if
   $db_host = "localhost";
   $db_user = $account_name;
   $db_password = $account_password;
   $db_name = "data";
   $connection = @mysql_connect ($db_host, $db_user,$db_password) or die 
("error connecting");
   echo "connection successful!";

   $sql = "select * from users where user_name =$user_name and 
user_password = '$user_pass'";
   $result = mysql_query($sql) or die("Can't query because 
".mysql_error());
   if (mysql_num_rows($result)==1)
   {
     echo "User auhorized";
   }else{
     echo "User not authorized. HIt the back button to login again";
   }//end if

?>
hth
Bastien

From: "it clown" <[EMAIL PROTECTED]>
To: php-db@lists.php.net
Subject: [PHP-DB] authenticating users with php&mysql
Date: Wed, 26 Jan 2005 12:44:38 +0200
Hi All,
I am trying to create a page with 2 text boxes a name and a
password with a submit button.The user must enter his
username and password that is stored in mysql to access the
site.
With the following code i get a successfull connection with
a blank username and password but when i enter a wrong
username and password i get a error that is correct.
<html>
   <head><title>MySQL Connection</title></head>
      <body>
         <div align="centre">
            <form action="<?php echo $_SERVER[PHP_SELF];
?>" method="POST">
               Name: <input type="text"
name="txt_name">&nbsp;
               Password: <input type="text"
name="txt_password">&nbsp;
               <br /><input type="submit" value="Submit">
         </div>
            </form>
       </body>
</html>
<?php
   $db_host = "localhost";
   $db_user = $_POST["txt_name"];
   $db_password = $_POST["txt_password"];
   $db_name = "data";
   $connection = @mysql_connect ($db_host, $db_user,
$db_password) or die ("error connecting");
   echo "connection successful!";
?>
What is the best way to authenticate users against mysql
for login?
Regards
______________________________________________________________
http://www.webmail.co.za the South African FREE email service
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php