Page 1 of 1

authentication

Posted: Sat Mar 29, 2003 8:18 pm
by nincha
is it a good or a bad idea to write a php script for user login or authentication by logging into sql and matching username and password?? If its a bad reason can any one tell me why and a better way to do this.

Posted: Sat Mar 29, 2003 9:29 pm
by protokol
There is absolutely nothing wrong with this method. In fact, I recommend it over using flat files to store usernames and passwords. The thing to remember is that you need to store your passwords in encrypted form in the database.

Many PHP coders will store the md5() hash of the password in the database:

Code: Select all

$username =& $_POST['username']; 
$password =& $_POST['password'];

$query = "SELECT first_name, last_name FROM members WHERE username = '".$username."' AND password = '".md5($password)."'";


Basically it grabs the user info from the database when a user signs up via an HTML form. There are better ways to hash the password, but this is just one of the options.

Posted: Sat Mar 29, 2003 10:08 pm
by nincha
how would you encrypt the password into mysql?

Posted: Sat Mar 29, 2003 10:10 pm
by m3mn0n
I suggest also using cookies if you where to do so. :)


http://ca.php.net/set_cookie

Posted: Sat Mar 29, 2003 10:32 pm
by nincha
what exactly are cookies. can some one give a basic syntax of it and explain how it works and it purpose.

Posted: Sun Mar 30, 2003 12:09 am
by protokol
The way you encrypt the password into MySQL is by inserting the new user into the database and setting the password to equal the md5() hash:

Code: Select all

$query = "INSERT INTO members (username, password) VALUES ('".$username."', '".md5($password)."')";
Where $username and $password are set to variables which the user enters in when they sign up on the site. Usually, these will be $_POST['username'] and $_POST['password'].

In response to your second question about cookies...... A cookie is used to store a variable on the user's computer so that when they return to the site, a PHP program can "remember" certain things about them. I'm sure you have seen a site that has "Remember login" or something similar in a login box which you can choose so that you can return to the site at a later date and not have to log in again. If you check the box to "Remember you", then they are most likely storing a cookie on your computer. The cookie will store your username and your encrypted password. This way, when you return to the site, if the cookie exists on your computer, then the script will read it in, check the username/password against the database values, and log you in accordingly.

Code: Select all

$_COOKIE['my_site_login_info'] = $username.",".md5($password);
The above code would be used to set the cookie. This is done when the user chooses to have their password remembered.

Code: Select all

if (isset($_COOKIE['my_site_login_info'])) {
   list($username, $encrypted_password) = explode(",", $_COOKIE['my_site_login_info']);
   $query = "SELECT * FROM members WHERE username = '".$username."' AND password = '".$encrypted_password."'";
} else {
   // the cookie isn't set, so either the user hasn't chosen to remember
   // the password, cookies are disabled on his computer, or he deleted
   // the cookie himself
}
The above code will check to see if the cookie exists. If it does, then we grab the user's information from the database.

Hopefully this helps a bit. Feel free to ask more questions that you may have.