Password look up

Need a bit of help with a form. I have created a form which require log in. Once a person has logged in they complete the form and then someone else checks the form and enters there password before the form is submitted.

I have set up some rules which checks the fields are completed correctly and I want to write some code that will check the password field is completed and then check it against the stored passwords in the database.

So far I have got this.

    if (!empty($_POST['password']))
{


/*connect to database to check password is valid*/
    $user_name = "contains username for database";
    $pass_word = "contains password";
    $database = "name of database";
    $server = "开发者_如何转开发localhost";

    $db_handle = mysql_connect($server, $user_name, $pass_word);
    $db_found = mysql_select_db($database, $db_handle);

    if ($db_found) {

        $uname = quote_smart($uname, $db_handle);
        $pword = quote_smart($pword, $db_handle);

        $SQL = "SELECT * FROM masterpass WHERE password = $password";
        $result = mysql_query($SQL);
        $num_rows = mysql_num_rows($result);

        if ($result) {
            if ($num_rows > 0) {
                continue;
            }
            else {
                $error = true;



  }

Not sure if I am going about this the right way so any help would be great.

Thanks in advance Matt

for starters, first you create $pword:

$pword = quote_smart($pword, $db_handle);

and in your query you use $password.

$SQL = "SELECT * FROM masterpass WHERE password = $password";

This can't work.

Secondly, you should ask for username AND password in your query.

Last but not least: never save a password in clear text in your database. Generate a MD5 hash!

I have set up some rules which checks the fields are completed correctly and I want to write some code that will check the password field is completed and then check it against the stored passwords in the database.

No, you don't. Checking to see if the password is already in the database is not a very smart thing to do, as that opens your application to brute-forcing attacks. I could use your form to determine which passwords are used, and if I can get a list of your users, I can try each of those passwords to each of those users and get access.

Secondly, quote_smart is probably not smarter than mysql_real_escape_string. Use that instead.

Thirdly, as Sascha already mentions, please generate a hash. I wouldn't use MD5, but sha1 instead, but even using MD5 without salt already increases the security in your form dramatically.

My mantra on validating passwords is: make sure it's longer than 7 characters, that's it. Don't make assumptions on what password people should use. I hate it if I type in a password and some validation routine tells me I can't use {^ in my password.