开发者

Check availability of user id from the database

问答 作者:

I have a forgot password 开发者_开发知识库page in which i need to ask from the user his user id to provide him his password from the database and it is working but what to do if anyone enters any wrong user id.

Be aware that there's a certain measure of risk in this. If you always respond with a message saying that the User ID is incorrect, then that can be used to guess User IDs in your system. An attacker can brute-force this form with variations of common names and end up with a sizable list of your users. For any given account, that gives them half of the information needed to login as that user.

I would recommend that you display a message saying that an email has been sent to the email address for that account with instructions to reset the password (which includes a time-sensitive key required for the reset), regardless if the User ID was found in the system or not. If they don't get the email, they can always try again (assuming the first attempt included a typo in the User ID). If they don't actually know their User ID, there can be another form to recover that by entering their email address (behaves in a similar manner to this form, always showing success on the form and just sending the email where applicable).

You have to perform following 3 steps to ensure tight security.

1) Based on the userid fetch the user information from database. If the information is null then send an error to the user, saying invalid UserId.

2) a) If you have registration of EmailId at the time of user creation, then send the password to the registered mail. b) If you don't have registration of EmailId then ask and match the security question selected at the time of user registration.

3) If possible try to combine the a) & b) points of point 2) for more enhanced security.

You must do SELECT to check if that records exists and proceed if so.

Simply return a message stating they have entered an incorrect user id.

If you're asking what do you do if they give you the valid ID of another user entirely, then I'm assuming you're doing something quite unsafe with the password you're recovering (you aren't just showing them the password are you?) - most systems like this will email you the password, at least affording the security that only the associated email account will ever be given the password.

SELECT * FROM users WHERE username = inputhere

if (mysql_num_rows($result) > 0)
{
  // found it
}
else
{
  // doesn't exist
}

Is that what you were looking for?

继续阅读:asp.net

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9