Page 1 of 1

mysql password warning

Posted: Mon May 03, 2010 1:59 pm
by c_pattle
Hey

I'm not sure if this it the correct place to post this but if not then feel free to move it.

I've created a mysql table to store user names and password and am trying to create a log in page which checks the username and passwords are valid.

I used this sql to create the table "create table users (first_name varchar(25) not null, last_name varchar(25) not null, username varchar(20) unique, password varchar(16);"

However when I try to insert data into the table using "insert into users (first_name, last_name, username, password) values ("jack", "jones", "jack", password("jack"));" it says there is a warning. It's something to do with the password because when you view the table the password is stored as a 15 character string with a "*" at the start.

Does anyone know what I'm doing wrong?

Re: mysql password warning

Posted: Mon May 03, 2010 2:14 pm
by requinix
I'm too lazy:

What does the warning say?

Re: mysql password warning

Posted: Mon May 03, 2010 3:18 pm
by rnoack
im not sure if that is the exact code you used, but you missed a paren at the end of the create table after varchar(16) should be varchar(16));
but i feel like you should have got an error when creating the table in that case.

Re: mysql password warning

Posted: Mon May 03, 2010 4:00 pm
by c_pattle
Thats a good point, how to a get mysql to display the warnings? I asked someone else and they said that the password function shouldn't be used by other applications. Does this mean I should forget the password() function and just store users passwords as text?

Re: mysql password warning

Posted: Mon May 03, 2010 4:46 pm
by minorDemocritus
To display the error message that MySQL returns, use mysql_error(). Example:

Code: Select all

$query = "SELECT * FROM `table` WHERE 1";
$result = mysql_query($query);
echo mysql_error();
The function returns a string containing the error from the last MySQL function that ran.

phpMyAdmin is very useful for debugging MySQL queries. The 'SQL' tab allows you to run queries directly, and gives you the error message.

As for the password function, I've never used it. I just store the hash of the password, after salting it for more security:

Code: Select all

$username = 'dummyuser';
$salt1 = '#jS7';
$salt2 = 's3N&';
$password = 'secret';
$token = sha1($salt1 . $password . $salt2);
$query = sprintf("INSERT INTO `users` (username,passhash) VALUES ('%s','%s')",
    mysql_real_escape_string($username),
    mysql_real_escape_string($token)
);

Re: mysql password warning

Posted: Tue May 04, 2010 9:44 am
by rnoack
In my opinion it should be OK to share the password function between php and mysql because both are running on the server side. But that might be a better question for the security forum.