开发者

Password look up

开发者 https://www.devze.com 2023-03-19 01:12 出处:网络
Need a bit of help with a form. I have created a form which require log in. Once a person has logged in they complete the form and then someone else checks the form and enters there password before th

Need a bit of help with a form. I have created a form which require log in. Once a person has logged in they complete the form and then someone else checks the form and enters there password before the form is submitted.

I have set up some rules which checks the fields are completed correctly and I want to write some code that will check the password field is completed and then check it against the stored passwords in the database.

So far I have got this.

    if (!empty($_POST['password']))
{


/*connect to database to check password is valid*/
    $user_name = "contains username for database";
    $pass_word = "contains password";
    $database = "name of database";
    $server = "开发者_如何转开发localhost";

    $db_handle = mysql_connect($server, $user_name, $pass_word);
    $db_found = mysql_select_db($database, $db_handle);

    if ($db_found) {

        $uname = quote_smart($uname, $db_handle);
        $pword = quote_smart($pword, $db_handle);

        $SQL = "SELECT * FROM masterpass WHERE password = $password";
        $result = mysql_query($SQL);
        $num_rows = mysql_num_rows($result);

        if ($result) {
            if ($num_rows > 0) {
                continue;
            }
            else {
                $error = true;



  }

Not sure if I am going about this the right way so any help would be great.

Thanks in advance Matt


for starters, first you create $pword:

$pword = quote_smart($pword, $db_handle);

and in your query you use $password.

$SQL = "SELECT * FROM masterpass WHERE password = $password";

This can't work.

Secondly, you should ask for username AND password in your query.

Last but not least: never save a password in clear text in your database. Generate a MD5 hash!


I have set up some rules which checks the fields are completed correctly and I want to write some code that will check the password field is completed and then check it against the stored passwords in the database.

No, you don't. Checking to see if the password is already in the database is not a very smart thing to do, as that opens your application to brute-forcing attacks. I could use your form to determine which passwords are used, and if I can get a list of your users, I can try each of those passwords to each of those users and get access.

Secondly, quote_smart is probably not smarter than mysql_real_escape_string. Use that instead.

Thirdly, as Sascha already mentions, please generate a hash. I wouldn't use MD5, but sha1 instead, but even using MD5 without salt already increases the security in your form dramatically.

My mantra on validating passwords is: make sure it's longer than 7 characters, that's it. Don't make assumptions on what password people should use. I hate it if I type in a password and some validation routine tells me I can't use {^ in my password.

0

精彩评论

暂无评论...
验证码 换一张
取 消