[web] MySQL - Website with accounts
Author
Should I make a database with one table, and then inside the table have many rows, each being an account. Will this arise any security issues. I'm planning on using a MySQL query that will select only the username that the user entered. and then will verify the password with the retrieved info.
My approach is:
SELECT COUNT(*) FROM user_table WHERE name = '$name' AND password = '$pass'
Where $name and $pass are convenably 'cleaned' values to avoid SQL insertion, which are input by the user. This way, the password information NEVER leaves the database, which prevents me from doing stupid things with it later on.
SELECT COUNT(*) FROM user_table WHERE name = '$name' AND password = '$pass'
Where $name and $pass are convenably 'cleaned' values to avoid SQL insertion, which are input by the user. This way, the password information NEVER leaves the database, which prevents me from doing stupid things with it later on.
You might wanna use the MD5 hash function in PHP. Even tho MD5 hashes are easily circumvented with a lookup table, you'll add an additional layer(And to make the hash more secure, you could add a few non-char(!@#$%^&*) at the beginning/end of all the passwords(So the lookup tables are less usefull).
Toolmaker
Toolmaker
Author
Thanks people. For now I am only learning, so I will read up on MD5 hash and the tables later. Thanks for the input!
Quote:Original post by ToohrVyk
My approach is:
SELECT COUNT(*) FROM user_table WHERE name = '$name' AND password = '$pass'
Where $name and $pass are convenably 'cleaned' values to avoid SQL insertion, which are input by the user. This way, the password information NEVER leaves the database, which prevents me from doing stupid things with it later on.
Thats the same way I would do it, the idea of retrieving the password just scares me for some reason :D
Quote:Original post by ToohrVyk
Where $name and $pass are convenably 'cleaned' values to avoid SQL insertion.
what do u mean by "convenably 'cleaned' values to avoid SQL insertion"
Quote:
My approach is:
SELECT COUNT(*) FROM user_table WHERE name = '$name' AND password = '$pass'.
this is not secure u need to add more validations to yooour user name and password like forbidding to use the special characters likee - ' and others and not using the ordinary words "name" and "password"
jad_salloum: you answered your own question. That's exactly what he meant by cleaned values.
Edit: where did his post go? :D
Myself I store username, salt and password and hash the specified password with the stored salt for the specified username, and use that for comparison with the stored password.
"Downside" is that it gets case sensitive too.
I should really add "time" as a factor there somewhere too to prevent playback-attacks though.
Although I use mssql, not mysql, the approach would be the same.
Edit: where did his post go? :D
Myself I store username, salt and password and hash the specified password with the stored salt for the specified username, and use that for comparison with the stored password.
"Downside" is that it gets case sensitive too.
I should really add "time" as a factor there somewhere too to prevent playback-attacks though.
Although I use mssql, not mysql, the approach would be the same.
Quote:Original post by jad_salloum
what do u mean by "convenably 'cleaned' values to avoid SQL insertion"
Checking that SQL insertion is not possible. In the above case, it means that the ' character does not appear unescaped in the string, even though additional constraints could be placed on the password and login for usability.
Quote:
this is not secure u need to [things I already do] and not using the ordinary words "name" and "password"
Why would field names such as "name" and "password" be unsecure? Especially when most things I work on are readily available under the GPL for source code browsing?
EDIT: Or do you mean that I should forbid the use of the name "name" and the password "password" for the end user? At which point I understand what you mean by unsecure.
There is also the crypt function which allows you to add your own salt. It takes the form crypt($Password, 'ABCDEFG').
If you're working with mysql/php for the first time, I'd highly highly highly recommend becomming as familiar as possible with all of its weaknesses before you spend months programming the same flaws over and over again. Password security is a big big deal as is mysql injection statements. I'm sure there are a few other items to be aware of, but those are the two that come to mind.
If you're working with mysql/php for the first time, I'd highly highly highly recommend becomming as familiar as possible with all of its weaknesses before you spend months programming the same flaws over and over again. Password security is a big big deal as is mysql injection statements. I'm sure there are a few other items to be aware of, but those are the two that come to mind.
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement
