authentication

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
nincha
Forum Contributor
Posts: 191
Joined: Fri Mar 28, 2003 12:30 pm
Location: CA, USA

authentication

Post by nincha »

is it a good or a bad idea to write a php script for user login or authentication by logging into sql and matching username and password?? If its a bad reason can any one tell me why and a better way to do this.
User avatar
protokol
Forum Contributor
Posts: 353
Joined: Fri Jun 21, 2002 7:00 pm
Location: Cleveland, OH
Contact:

Post by protokol »

There is absolutely nothing wrong with this method. In fact, I recommend it over using flat files to store usernames and passwords. The thing to remember is that you need to store your passwords in encrypted form in the database.

Many PHP coders will store the md5() hash of the password in the database:

Code: Select all

$username =& $_POST['username']; 
$password =& $_POST['password'];

$query = "SELECT first_name, last_name FROM members WHERE username = '".$username."' AND password = '".md5($password)."'";


Basically it grabs the user info from the database when a user signs up via an HTML form. There are better ways to hash the password, but this is just one of the options.
nincha
Forum Contributor
Posts: 191
Joined: Fri Mar 28, 2003 12:30 pm
Location: CA, USA

Post by nincha »

how would you encrypt the password into mysql?
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

I suggest also using cookies if you where to do so. :)


http://ca.php.net/set_cookie
nincha
Forum Contributor
Posts: 191
Joined: Fri Mar 28, 2003 12:30 pm
Location: CA, USA

Post by nincha »

what exactly are cookies. can some one give a basic syntax of it and explain how it works and it purpose.
User avatar
protokol
Forum Contributor
Posts: 353
Joined: Fri Jun 21, 2002 7:00 pm
Location: Cleveland, OH
Contact:

Post by protokol »

The way you encrypt the password into MySQL is by inserting the new user into the database and setting the password to equal the md5() hash:

Code: Select all

$query = "INSERT INTO members (username, password) VALUES ('".$username."', '".md5($password)."')";
Where $username and $password are set to variables which the user enters in when they sign up on the site. Usually, these will be $_POST['username'] and $_POST['password'].

In response to your second question about cookies...... A cookie is used to store a variable on the user's computer so that when they return to the site, a PHP program can "remember" certain things about them. I'm sure you have seen a site that has "Remember login" or something similar in a login box which you can choose so that you can return to the site at a later date and not have to log in again. If you check the box to "Remember you", then they are most likely storing a cookie on your computer. The cookie will store your username and your encrypted password. This way, when you return to the site, if the cookie exists on your computer, then the script will read it in, check the username/password against the database values, and log you in accordingly.

Code: Select all

$_COOKIE['my_site_login_info'] = $username.",".md5($password);
The above code would be used to set the cookie. This is done when the user chooses to have their password remembered.

Code: Select all

if (isset($_COOKIE['my_site_login_info'])) {
   list($username, $encrypted_password) = explode(",", $_COOKIE['my_site_login_info']);
   $query = "SELECT * FROM members WHERE username = '".$username."' AND password = '".$encrypted_password."'";
} else {
   // the cookie isn't set, so either the user hasn't chosen to remember
   // the password, cookies are disabled on his computer, or he deleted
   // the cookie himself
}
The above code will check to see if the cookie exists. If it does, then we grab the user's information from the database.

Hopefully this helps a bit. Feel free to ask more questions that you may have.
Post Reply