MySQL password comparison from PHP
Afternoon SO. Basically I have a page with a login form where the user is asked to input their username and password. Then i match these username and a hashed version of the password with the Passwords database in MySQL.
Now, seeing as I have no idea what hackers/expoilters are capable of i would just like to never retrieve the hashed version of the right password from the database and compare it on the server. I have scoured google and the MySQL tutorial websites but I cant seem to get a clear answer (i might be drowning in shallow water here). Basically this is what i want to do:
- User inpu开发者_JAVA技巧ts username + password.
- I forward this information to MySQL through a stored procedure.
- Stored procedure returns TRUE/FALSE (1 or 0 doesnt matter) if a match is found.
Thankyou very much for your time.
I'm not quite sure what you're after, but if I understood the question correctly, you want to do something like this:
SELECT password FROM users WHERE username = '$username';
and then compare the passwords with PHP, and you're concerned that this might become a security issue.
I don't think it makes any difference in the security standpoint. The usual way of checking if the password is correct is:
SELECT COUNT(*) FROM users WHERE username = '$username' AND password = '$hashedPassword';
If count == 1, the user gave the correct password. You can see that MySQL doesn't give the actual password at any point if the passwords don't match. Even if it did, it's nearly impossible for a hacker to get access to that information. If they can, they have already hijacked your server and this is the least of your problems.
Just use mysql_real_escape_string
when sending the credentials to your database. This will prevent SQL injection.
<?php
// Connect
$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password')
OR die(mysql_error());
// Query
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
mysql_real_escape_string($user),
mysql_real_escape_string($password));
?>
http://www.php.net/manual/en/function.mysql-real-escape-string.php
精彩评论