[thelist] Re: best way to check for valid user/password in PHP

[Kelly Hallman]

On Thu, 9 Jan 2003, Tom Dell'Aringa wrote:
> --- Jason Handby <jasonh at pavilion.co.uk> wrote:
> > Why not do {...}
> > and then just see if any records are returned?

I'd recommend this method too: the more you can get the database to do for
you, the easier and less problematic your code becomes...

> Oops, forgot to ask - if I do that and use:
> if(!mysql_numrows(@mysql_query($result))) { // you screwed up dude }

In this case, you probably want to save the result handle to a variable
first, something like this:

$res = @mysql_query($result);
if (!mysql_numrows($res)) { // you screwed up dude }

Then you can use the result set as you wish later on.

One note about saving passwords into a database.  It's probably an
academic point, but rather than storing the actual password, why not store
a one-way hash of the password using the PHP md5() function?  Take a look:

$hashedpassword = md5($originalpassword);
if ($hashedpassword == md5($passwordinput)) { // password matched }

So, you can save the hashed version of the password into the database.
Then, when you have a password to compare, hash it first and then compare
the hash with the hashed version you've stored in your database.  (This is
functionally the same as the way you're comparing passwords now, just that
you'd be comparing hashes of the passwords, not the passwords themselves.)

md5 is a one-way hash because there is no feasible way to determine the
original input that created the hash, and it would be equally difficult to
find two strings that resulted in the same hash.  This way, if someone got
ahold of your username/password data, the hashed passwords would be
useless.  This is similar to how a Unix system stores passwords.

Note that md5 hashes are always 32 characters long regardless of your
input, so this method makes for predictable database storage.

Reference the PHP md5() manual page for more information.

Kelly

--
Kelly Hallman
http://wrack.org/