Page 1 of 1

Questions about creating accounts on a database

Posted: Wed Jun 26, 2002 3:24 pm
by RandomEngy
Hey, everyone.

I apologize in advance if this has been covered already. I tried searching the forums, and looking on Google, but nothing insightful popped up.

I've been working on a website and decided to incorporate some mySQL/PHP goodness. I plan to make a place where users can update their personal info via html forms. The information is displayed by PHP for the public to access.

For this I'm thinking of making a "users" table with the following columns:
id, name, password, etc. When they log in, their submitted password is checked against the one in the database and entry is permitted or denied based on the comparison.

From here I'm uncertain. Do I change a variable to toggle if the user is logged in? How would I only give access to that user for modifying his info? How can I make sure that only that computer is able to get any data? Are PHP and mySQL the right tools for ensuring security here?

If someone could point me in the right direction, or direct me to a tutorial that might answer my questions, it would be most appreciated.

Posted: Wed Jun 26, 2002 3:28 pm
by jason
Yup, you can do it in PHP. I woud look into sessions in PHP, as that is what I think you are aiming for, controling when a user is logged in. =)

Posted: Thu Jun 27, 2002 10:23 am
by RandomEngy
Thanks for pointing me in the right direction, jason. I've made some progress and actually made a session and can control logins now. Now the fun part comes: coding it!

Posted: Fri Jun 28, 2002 2:57 am
by 9902468
Always remember that it is nice to save passwords as hashes, so that you can't see (that easily anyway) what password the user is using. Surprisingly many people use the one and the same password to every service they use! mySQL has password() function if I remember correctly (Using ldap now to authenticate...)

Posted: Fri Jun 28, 2002 3:51 pm
by honkyinc
I always store user passwords after running them through md5(). When you want to authenticate, just run the password they provide through md5() and then compare that to what you have in the DB. If they match, yay. If they don't, bah.

This also removes the temptation (yes, it can be there), to see what users pick for passwords. I know that a lot of people wouldn't look, but there are some that would, and it's better to remove all temptation before it's there, you know?

Posted: Fri Jun 28, 2002 4:02 pm
by RandomEngy
Cool, I think I'll do that md5 thing. Although that will mean I can't use my webpage to edit entries, I guess I can just use phpmyadmin or something to edit them. Thanks for the help.