I need to check that the values are identical. If $_POST['password']
= PASS
instead of pass
it would return 0 rows.
This script should echo 开发者_JAVA百科either 1 or 0. It works fine as it is, but I want to make it more secure.
$_POST['username'] = 'admin';
$_POST['password'] = 'pass';
mysql_connect('localhost', '', '');
mysql_select_db('database');
echo $num = mysql_num_rows(mysql_query("SELECT username,password FROM users WHERE username = '". mysql_real_escape_string($_POST['username']) . "' AND password = '". mysql_real_escape_string($_POST['password']) . "'"));
If you want to make it more secure, you shouldn't really be storing the password in plain text in the database at all. Storing a hash (e.g. MD5 or SHA1) of the password, preferably with a salt added, and then comparing that to a hash of the entered password each time is a better approach.
For your query, it sounds like you want to make it case sensitive though. To do that, you need to change the collation on the password column to be a case-sensitive collation. Those are the collations that end in _cs , like latin1_general_cs .
MySQL does case insentivive comparision, which is why PASS == pass
. You can circumvent that by setting the column type to BINARY
. Apart from that, never store the password plaintext in database but has it with sha or md5.
精彩评论