开发者

MySQL password comparison from PHP

问答 作者:

Afternoon SO. Basically I have a page with a login form where the user is asked to input their username and password. Then i match these username and a hashed version of the password with the Passwords database in MySQL.

Now, seeing as I have no idea what hackers/expoilters are capable of i would just like to never retrieve the hashed version of the right password from the database and compare it on the server. I have scoured google and the MySQL tutorial websites but I cant seem to get a clear answer (i might be drowning in shallow water here). Basically this is what i want to do:

  • User inpu开发者_JAVA技巧ts username + password.
  • I forward this information to MySQL through a stored procedure.
  • Stored procedure returns TRUE/FALSE (1 or 0 doesnt matter) if a match is found.

Thankyou very much for your time.

I'm not quite sure what you're after, but if I understood the question correctly, you want to do something like this:

SELECT password FROM users WHERE username = '$username';

and then compare the passwords with PHP, and you're concerned that this might become a security issue.

I don't think it makes any difference in the security standpoint. The usual way of checking if the password is correct is:

SELECT COUNT(*) FROM users WHERE username = '$username' AND password = '$hashedPassword';

If count == 1, the user gave the correct password. You can see that MySQL doesn't give the actual password at any point if the passwords don't match. Even if it did, it's nearly impossible for a hacker to get access to that information. If they can, they have already hijacked your server and this is the least of your problems.

Just use mysql_real_escape_string when sending the credentials to your database. This will prevent SQL injection.

<?php
// Connect
$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password')
    OR die(mysql_error());

// Query
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
            mysql_real_escape_string($user),
            mysql_real_escape_string($password));
?>

http://www.php.net/manual/en/function.mysql-real-escape-string.php

继续阅读:passwordsphp

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9