Bastien Koert wrote:
On Thu, Feb 18, 2010 at 4:40 PM, Ron Piggott <ron....@actsministries.org> wrote:
I am wondering what others do for a login query. I think there could be
two results: correct e-mail & password; correct e-mail & wrong password
So far my login query is:
SELECT * FROM `member` WHERE `email` = '$my_email' AND `pass` LIKE
BINARY '$my_password' LIMIT 1
This wouldn't tell me if the user has the wrong password. Is there a
better way to do this?
bad bad bad! never do a like on a password. If there are two passwords
that are close, the unauthorized user might get in when they
There are two usual approaches:
1. Select the user (providing that the user is distinct) and compare
the password in PHP. On a match, allow access.
2. Select the user and password and see if the results return a row.
If no row is returned, then access is not granted. If there is a row,
then access is granted.
I'd also suggest that you don't distinguish between a correct username
but wrong password and a correct username and right password.
If you say "You got the right username but wrong password", a bad guy
now has a point of attack .. If you say "your username or password are
incorrect" you don't get that.
Check gmail or yahoo or even sourceforge for how they word such attempts.
Postgresql & php tutorials
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php