[thelist] (no subject)

Rudy_Limeback at maritimelife.ca Rudy_Limeback at maritimelife.ca
Thu Aug 31 13:47:01 CDT 2000


> any suggestions? thanks
> 
> #airyk
> I'm a loser baby, so why don't you kill me?

hi erik (or do you prefer #airyk?)

you are not a loser, not if you create the bookmark database that you 
described

i have a lot to say about all kinds of stuff you mentioned in your 
question (some people might say i've got too much to say about everything 
anyway) but i'll try to restrict myself to just the database parts...

> I want to give users the ability to change their password, 
> but I really don't know how to go about doing that in a 
> safe secure manner.

the textbook answer for safe secure connections is something called the 
https protocol, but you don't need to get into that for this application

use an ordinary html form for the login page, but instead of an input text 
field, use an input password field which will render the password in 
asterisks as it's being typed in 

   "Application designers should note that this mechanism affords 
    only light security protection. Although the password is masked by 
    user agents from casual observers, it is transmitted to the server 
    in clear text, and may be read by anyone with low-level access to 
    the network."
 
        http://www.w3.org/TR/html4/interact/forms.html#h-17.4

the way i interpret this, it means there could be a guy up the telephone 
pole outside your house with spohisticated equipment to pluck your 
particular internet packets out of the millions of similar packets zipping 
along there at the moment, and thus find out the password that you typed 
in

in other words, i can live with the risk -- what's he gonna do, go in and 
change all my bookmarks?  duh


> If I did it directly in the access tables, they would have to 
> be reloaded everytime, so that's no good.

i don't think you are implying microsoft access tables, rather, i think 
you mean the "login" mysql tables that are part of your application 

that's what happens when a really good word like access (and please don't 
let's start another english thread) gets co-opted as a brand name -- i 
prefer to use the word msaccess at all times to be sure

anyhow, no, you don't have to reload those tables every time

when somebody logs in, what you do is take the userid and password that 
they logged in with, that are on the form that was submitted to the login 
page, and do a query against the database with the values that they 
submitted

    select username, userid, password
      from logintable
     where userid = '#form.userid#'
       and password = '#form.password#'

(sorry about the cold fusion syntax, please substitute php/mysql variables 
as required)

if the number of records returned from this query is 0, that means that 
the particular userid/password combination that your user entered doesn't 
exist, so you have to send her an error message of some kind -- one or the 
other or both of the fields could be wrong (for instance, the user could 
be registered but she could have typed in the wrong password) so you want 
to be careful how you word your error message... don't tell her she's not 
registered if all she did was use the wrong password...

your next step is maintaining state so that the valid logged in user can 
now browse through her bookmarks and update them if desired -- did you say 
you have the app built already? 

i'm not sure what options you have in php to maintain state... i know you 
can use cookies, but that's all i know...

anyhow, to let the user change her password, first she have to log in, 
then go to the change password page

maintain state the same way you do in the app, and on the change password 
page, just submit the new password field as before, and update it into the 
database like this -- 

  update logintable
     set password = '#form.newpassword#'
   where userid = '#session.userid#'
     and password = '#session.password#'

again, sorry for the cf syntax, this is how you would make sure you were 
updating the right user record, by selecting only the row corresponding to 
the logged in user, in this example using cf session variables 

note, most sites require the user to type the password into two fields, 
and you would compare them to make sure they're the same before running 
the new password update query (eliminates 90% of future errors this way)


please let me know if i've answered your questions...


rudy
r937.com




More information about the thelist mailing list