Go Back   nV News Forums > Software Forums > Software Development

Newegg Daily Deals

Reply
 
Thread Tools
Old 05-23-07, 02:02 PM   #13
ViN86
 
Join Date: Mar 2004
Posts: 15,486
Default Re: Need a non-functional PHP login box

Quote:
Originally Posted by evilghost
I know this is an older thread but I wanted to comment on the t3hl33td4rg0n's excellent example. All is fine, however, it is is strongly recommended that you use the mysql_escape_string(); function to properly sanitize user-input to avoid SQL injection.

In his example, the below code:

Code:
$s = 'SELECT * FROM `'.$utbl.'` WHERE `user` = `'.$_POST['username'].'` AND `pass` = `'.md5($_POST['password']).'`';
Should become:
Code:
$s = 'SELECT * FROM `'.$utbl.'` WHERE `user` = `'.mysql_escape_string($_POST['username']).'` AND `pass` = `'.md5($_POST['password']).'`';
This will prevent SQL injection, else, SQL injection could occur.
evilghost -

i assume that youre using the .md5() to hash the password. is it ok to use the password() hashing method instead?

this is what i planned to use in my MySQL database.
ViN86 is offline   Reply With Quote
Old 05-23-07, 02:07 PM   #14
evilghost
Registered User
 
Join Date: Jul 2005
Posts: 3,606
Default Re: Need a non-functional PHP login box

Quote:
Originally Posted by ViN86
evilghost -

i assume that youre using the .md5() to hash the password. is it ok to use the password() hashing method instead?

this is what i planned to use in my MySQL database.
What's the password() method? crypt()? I like MD5 because it's a one-way hash and to test for successful login all you have to do is:

if(md5($user_supplied_password) == $md5_value_from_db)
//auth_ok
else
//auth_failed
evilghost is offline   Reply With Quote
Old 05-23-07, 06:07 PM   #15
ViN86
 
Join Date: Mar 2004
Posts: 15,486
Default Re: Need a non-functional PHP login box

Quote:
Originally Posted by evilghost
What's the password() method? crypt()? I like MD5 because it's a one-way hash and to test for successful login all you have to do is:

if(md5($user_supplied_password) == $md5_value_from_db)
//auth_ok
else
//auth_failed
the password() function is a hash function as well. it's inside MySQL i believe.

EDIT:
http://dev.mysql.com/doc/refman/5.0/en/user-names.html

actually, it appears to be its own encryption function in MySQL. i found a way to call the function outside of MySQL. i assume i just use that function instead of the md5() call?
http://us.php.net/mysql
ViN86 is offline   Reply With Quote
Old 05-23-07, 07:56 PM   #16
evilghost
Registered User
 
Join Date: Jul 2005
Posts: 3,606
Default Re: Need a non-functional PHP login box

Quote:
Originally Posted by ViN86
the password() function is a hash function as well. it's inside MySQL i believe.

EDIT:
http://dev.mysql.com/doc/refman/5.0/en/user-names.html

actually, it appears to be its own encryption function in MySQL. i found a way to call the function outside of MySQL. i assume i just use that function instead of the md5() call?
http://us.php.net/mysql
This really comes down to preference but I prefer md5 as a one-way hash versus an encrypted string for two reasons, first is there isn't a decryption method (aside from brute-force or something like an md5 dictionary) and second because if I md5() user input I am also successfully escaping it and preventing SQL injection as opposed to having to call mysql_escape_string() and then pass the escaped sequence for encryption against the database.

Again, all preference.
evilghost is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


Similar Threads
Thread Thread Starter Forum Replies Last Post
how to totally get rid of nvidia-settings configurations on login gfxdrone NVIDIA Linux 10 06-27-12 01:29 PM
Vizio's Co-Star: $99 Google TV box with OnLive gaming support News Archived News Items 0 06-26-12 11:40 AM
Ars Technica system guide: Bargain Box April 2012 News Archived News Items 0 05-10-12 10:30 PM
PC Games, CeleronII 566, CeleronA 300, BIOS Savior, Heatsinks, NES & Sega Items +pics TekViper For Sale/Trade 5 08-07-02 10:48 PM

All times are GMT -5. The time now is 11:20 AM.


Powered by vBulletin® Version 3.7.1
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Copyright 1998 - 2014, nV News.