Question about code efficiency (php+mysql)
Posted: Tue Jul 12, 2011 8:30 pm
I am currently implementing a cookie checking method for the login part of my website.
When the cookie is created the email is hashed with md5 and some salts to prevent cookie tampering, but since i can't reverse the md5 i need to fetch the whole array of users to see if the current email row (hashed on the fly) matches the one in the cookie.
The code works and everything, it does exactly what i want, but i don't know if it's efficient enough, i tried with 11000 random inserted users and the query takes a couple of ms without problems, but will this be apropiate for tables with millions of rows? Not saying my website will have that many users but it's always good to know to code for max efficiency.
Also should i worry too much about cookie tampering? If i don't hash the email and put it directly in the cookie when the user logs in, i don't even need to while loop, just select the row directly if the email in the cookie matches the one in the table.
Thanks in advance.
This is how i create the cookie:
Here i assign its value to the session:
**EDIT**
I just thought of a better way to do it without the loop, this is the new code rewritten, it just checks the already hashed pass in the db against the one in the cookie directly.
Cookie creation:
Cookie check:
When the cookie is created the email is hashed with md5 and some salts to prevent cookie tampering, but since i can't reverse the md5 i need to fetch the whole array of users to see if the current email row (hashed on the fly) matches the one in the cookie.
The code works and everything, it does exactly what i want, but i don't know if it's efficient enough, i tried with 11000 random inserted users and the query takes a couple of ms without problems, but will this be apropiate for tables with millions of rows? Not saying my website will have that many users but it's always good to know to code for max efficiency.
Also should i worry too much about cookie tampering? If i don't hash the email and put it directly in the cookie when the user logs in, i don't even need to while loop, just select the row directly if the email in the cookie matches the one in the table.
Thanks in advance.
This is how i create the cookie:
Code: Select all
if ($row = mysql_fetch_array($login_result)) {
if ($row['estado_act'] == 'activa') {
session_regenerate_id();
$_SESSION['SESS_USER_NAME'] = $row['nombre'];
$_SESSION['SESS_USER_EMAIL'] = $row['email'];
setcookie("finaparty_name", md5($salt.$_SESSION['SESS_USER_NAME'].$salt), time()+2592000, "/");
setcookie("finaparty_login", md5($salt.$_SESSION['SESS_USER_EMAIL'].$salt), time()+2592000, "/");
session_write_close();
}
Code: Select all
if (!isset($_SESSION['SESS_USER_EMAIL'])) {
if (isset($_COOKIE['finaparty_login'])) {
$cookie_result = mysql_query("SELECT nombre, email FROM registro_usuario");
while ($cookie_row = mysql_fetch_array($cookie_result)) {
if (!mysql_num_rows($cookie_result))
break;
if (md5($salt.$cookie_row['email'].$salt) == $_COOKIE['finaparty_login']) {
$_SESSION['SESS_USER_NAME'] = $cookie_row['nombre'];
$_SESSION['SESS_USER_EMAIL'] = $cookie_row['email'];
break;
}
}
}
}
I just thought of a better way to do it without the loop, this is the new code rewritten, it just checks the already hashed pass in the db against the one in the cookie directly.
Cookie creation:
Code: Select all
if ($row = mysql_fetch_array($login_result)) {
if ($row['estado_act'] == 'activa') {
session_regenerate_id();
$_SESSION['SESS_USER_NAME'] = $row['nombre'];
setcookie("finaparty_pass", $row['contra'], time()+2592000, "/");
setcookie("finaparty_login", $row['email'], time()+2592000, "/");
session_write_close();
} else
$warningMsg = "acc_inactive";
}Code: Select all
if (!isset($_SESSION['SESS_USER_NAME'])) {
if (isset($_COOKIE['finaparty_login']) && isset($_COOKIE['finaparty_pass'])) {
$cookie_result = mysql_query("SELECT nombre, email, contra FROM registro_usuario WHERE email = '$_COOKIE[finaparty_login]' AND contra = '$_COOKIE[finaparty_pass]'");
if (!mysql_num_rows($cookie_result)) {
setcookie("finaparty_pass", "", time() - 3600, "/");
setcookie("finaparty_login", "", time() - 3600, "/");
} else {
if ($cookie_row = mysql_fetch_array($cookie_result))
$_SESSION['SESS_USER_NAME'] = $cookie_row['nombre'];
}
}
}