Bastien Koert wrote:
On Thu, Feb 18, 2010 at 4:40 PM, Ron Piggott <> wrote:
I am wondering what others do for a login query.  I think there could be
two results: correct e-mail & password; correct e-mail & wrong password

So far my login query is:

SELECT * FROM `member` WHERE `email` = '$my_email' AND `pass` LIKE
BINARY '$my_password' LIMIT 1

This wouldn't tell me if the user has the wrong password.  Is there a
better way to do this?


bad bad bad! never do a like on a password. If there are two passwords
that are close, the unauthorized user might get in when they

There are two usual approaches:
1. Select the user (providing that the user is distinct) and compare
the password in PHP. On a match, allow access.
2. Select the user and password and see if the results return a row.
If no row is returned, then access is not granted. If there is a row,
then access is granted.

I'd also suggest that you don't distinguish between a correct username but wrong password and a correct username and right password.

If you say "You got the right username but wrong password", a bad guy now has a point of attack .. If you say "your username or password are incorrect" you don't get that.

Check gmail or yahoo or even sourceforge for how they word such attempts.

Postgresql & php tutorials

PHP Database Mailing List (
To unsubscribe, visit:

Reply via email to