William Stokes wrote: > What is the best or right way to compare users name and password given in > a > web form to data in mysql database?
It's kind of a Good Idea to store the password encrypted using MySQL's md5() function or other similar functions. In the old days, you'd use their password() function so you still see that a lot, but it's deprecated, as they want to be able to change the guts under-pinning their password() function that they use internally, since various encryption algorithms become obsolete. The point being that if somebody breaks into the database, they don't see any actual passwords, just a bunch of useless junk -- But *YOU* can call the md5() function on a password and compare the result to what's there. md5 and similar functions are what you call a "one-way" encryption -- There's no (easy) way to take the output and go backwards to the input. > I saw one example where sql SELECT query was made with username and > password > as WHERE and the script tested how many rows was returned from database if > there was 1 row returned the login was accepted. > > Is there other ways to do this? What if the usertable has more than these > 2 > columns. You don't care about the number of COLUMNS. If you have two *ROWS* with the same username, then you have the same user in there twice, which is BAD or two people using the same username which is REAL BAD. Don't do that. :-) So what you saw was fine, but it would be better to use an encryption function on the password as well. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
