[thelist] best way to check for valid user/password in PHP
Pete Prodoehl
pete.prodoehl at cygnusinteractive.com
Thu Jan 9 15:18:01 CST 2003
Jason Handby wrote:
> Why not do
>
> SELECT password, username FROM reguser WHERE username = '$username' AND
> password = '$password'
>
> and then just see if any records are returned? Then you can have one message
> for failed logins that just says "either the username or password you
> entered was incorrect".
>
> I'd say it was good security practice not to distinguish between bad
> username and bad password as far as user feedback is concerned. The less
> information you give them about why they can't log in the better!
Sure, that makes it easier on the developer, but harder on the user.
If someone thinks they know their username, types it in (with the
correct password) and tries to log in, it might be helpful to tell them
the password was incorrect instead of saying 'one or the other was
wrong, but I won't tell you which one.'
I can't tell you how many sites I've got to where I don't remember the
exact variation of my name that I used. Was it pete, petep, pete1,
pete2, etc...
Pete
More information about the thelist
mailing list