[thelist] (no subject)
Rudy_Limeback at maritimelife.ca
Rudy_Limeback at maritimelife.ca
Thu Aug 31 13:47:01 CDT 2000
> any suggestions? thanks
>
> #airyk
> I'm a loser baby, so why don't you kill me?
hi erik (or do you prefer #airyk?)
you are not a loser, not if you create the bookmark database that you
described
i have a lot to say about all kinds of stuff you mentioned in your
question (some people might say i've got too much to say about everything
anyway) but i'll try to restrict myself to just the database parts...
> I want to give users the ability to change their password,
> but I really don't know how to go about doing that in a
> safe secure manner.
the textbook answer for safe secure connections is something called the
https protocol, but you don't need to get into that for this application
use an ordinary html form for the login page, but instead of an input text
field, use an input password field which will render the password in
asterisks as it's being typed in
"Application designers should note that this mechanism affords
only light security protection. Although the password is masked by
user agents from casual observers, it is transmitted to the server
in clear text, and may be read by anyone with low-level access to
the network."
http://www.w3.org/TR/html4/interact/forms.html#h-17.4
the way i interpret this, it means there could be a guy up the telephone
pole outside your house with spohisticated equipment to pluck your
particular internet packets out of the millions of similar packets zipping
along there at the moment, and thus find out the password that you typed
in
in other words, i can live with the risk -- what's he gonna do, go in and
change all my bookmarks? duh
> If I did it directly in the access tables, they would have to
> be reloaded everytime, so that's no good.
i don't think you are implying microsoft access tables, rather, i think
you mean the "login" mysql tables that are part of your application
that's what happens when a really good word like access (and please don't
let's start another english thread) gets co-opted as a brand name -- i
prefer to use the word msaccess at all times to be sure
anyhow, no, you don't have to reload those tables every time
when somebody logs in, what you do is take the userid and password that
they logged in with, that are on the form that was submitted to the login
page, and do a query against the database with the values that they
submitted
select username, userid, password
from logintable
where userid = '#form.userid#'
and password = '#form.password#'
(sorry about the cold fusion syntax, please substitute php/mysql variables
as required)
if the number of records returned from this query is 0, that means that
the particular userid/password combination that your user entered doesn't
exist, so you have to send her an error message of some kind -- one or the
other or both of the fields could be wrong (for instance, the user could
be registered but she could have typed in the wrong password) so you want
to be careful how you word your error message... don't tell her she's not
registered if all she did was use the wrong password...
your next step is maintaining state so that the valid logged in user can
now browse through her bookmarks and update them if desired -- did you say
you have the app built already?
i'm not sure what options you have in php to maintain state... i know you
can use cookies, but that's all i know...
anyhow, to let the user change her password, first she have to log in,
then go to the change password page
maintain state the same way you do in the app, and on the change password
page, just submit the new password field as before, and update it into the
database like this --
update logintable
set password = '#form.newpassword#'
where userid = '#session.userid#'
and password = '#session.password#'
again, sorry for the cf syntax, this is how you would make sure you were
updating the right user record, by selecting only the row corresponding to
the logged in user, in this example using cf session variables
note, most sites require the user to type the password into two fields,
and you would compare them to make sure they're the same before running
the new password update query (eliminates 90% of future errors this way)
please let me know if i've answered your questions...
rudy
r937.com
More information about the thelist
mailing list