Question about code efficiency (php+mysql)

Questions about the MySQL, PostgreSQL, and most other databases, as well as using it with PHP can be asked here.

Moderator: General Moderators

Post Reply
Alexplay
Forum Newbie
Posts: 1
Joined: Tue Jul 12, 2011 8:09 pm

Question about code efficiency (php+mysql)

Post by Alexplay »

I am currently implementing a cookie checking method for the login part of my website.

When the cookie is created the email is hashed with md5 and some salts to prevent cookie tampering, but since i can't reverse the md5 i need to fetch the whole array of users to see if the current email row (hashed on the fly) matches the one in the cookie.

The code works and everything, it does exactly what i want, but i don't know if it's efficient enough, i tried with 11000 random inserted users and the query takes a couple of ms without problems, but will this be apropiate for tables with millions of rows? Not saying my website will have that many users but it's always good to know to code for max efficiency.

Also should i worry too much about cookie tampering? If i don't hash the email and put it directly in the cookie when the user logs in, i don't even need to while loop, just select the row directly if the email in the cookie matches the one in the table.

Thanks in advance.

This is how i create the cookie:

Code: Select all

if ($row = mysql_fetch_array($login_result)) {
			if ($row['estado_act'] == 'activa') {
				session_regenerate_id();
				$_SESSION['SESS_USER_NAME'] = $row['nombre'];
 				$_SESSION['SESS_USER_EMAIL'] = $row['email'];
 				setcookie("finaparty_name", md5($salt.$_SESSION['SESS_USER_NAME'].$salt), time()+2592000, "/");
				setcookie("finaparty_login", md5($salt.$_SESSION['SESS_USER_EMAIL'].$salt), time()+2592000, "/");
 				session_write_close();
			}
Here i assign its value to the session:

Code: Select all

if (!isset($_SESSION['SESS_USER_EMAIL'])) {
	if (isset($_COOKIE['finaparty_login'])) {
		$cookie_result = mysql_query("SELECT nombre, email FROM registro_usuario");
		
		while ($cookie_row = mysql_fetch_array($cookie_result)) {
			if (!mysql_num_rows($cookie_result))
				break;
				
			if (md5($salt.$cookie_row['email'].$salt) == $_COOKIE['finaparty_login']) {
					$_SESSION['SESS_USER_NAME'] = $cookie_row['nombre'];
 					$_SESSION['SESS_USER_EMAIL'] = $cookie_row['email'];
 					break;
 			}
		}
	}
}
**EDIT**

I just thought of a better way to do it without the loop, this is the new code rewritten, it just checks the already hashed pass in the db against the one in the cookie directly.

Cookie creation:

Code: Select all

if ($row = mysql_fetch_array($login_result)) {
			if ($row['estado_act'] == 'activa') {
				session_regenerate_id();
				$_SESSION['SESS_USER_NAME'] = $row['nombre'];
 				setcookie("finaparty_pass", $row['contra'], time()+2592000, "/");
				setcookie("finaparty_login", $row['email'], time()+2592000, "/");
 				session_write_close();
			} else
				$warningMsg = "acc_inactive";
		}
Cookie check:

Code: Select all

if (!isset($_SESSION['SESS_USER_NAME'])) {
	if (isset($_COOKIE['finaparty_login']) && isset($_COOKIE['finaparty_pass'])) {
		$cookie_result = mysql_query("SELECT nombre, email, contra FROM registro_usuario WHERE email = '$_COOKIE[finaparty_login]' AND contra = '$_COOKIE[finaparty_pass]'");
		
		if (!mysql_num_rows($cookie_result)) {
			setcookie("finaparty_pass", "", time() - 3600, "/");
			setcookie("finaparty_login", "", time() - 3600, "/");
		} else {
			if ($cookie_row = mysql_fetch_array($cookie_result))
				$_SESSION['SESS_USER_NAME'] = $cookie_row['nombre'];
		}
	}
}
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: Question about code efficiency (php+mysql)

Post by social_experiment »

Just a point of interest to look at: Cookies are input which can be manipulated. You should escape the input you receive from those cookies, even if you set them because you don't know who touched before you inspect them again. Use mysql_real_escape_string() even if you input stuff that is hard-coded.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Post Reply