FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » php code
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: php code [message #177420 is a reply to message #177419] Tue, 27 March 2012 03:54 Go to previous messageGo to previous message
Michael Fesser is currently offline  Michael Fesser
Messages: 215
Registered: September 2010
Karma:
Senior Member
.oO(Denis McMahon)

> On Mon, 26 Mar 2012 08:05:29 -0700, shaurya077 wrote:
>
>> if($_SERVER["REQUEST_METHOD"]=="POST") {
>> $myusername=addslashes($_POST['user_name']);
>> $mypassword=addslashes($_POST['pass_word']);
>>
>> $sql="select id from userinformation WHERE username='$myusername' and
>> password='$mypassword' ";
>
> ewwwwww.
>
> at the very least, store some sort of hash of the p/w, and not the pw
> itself.

Correct, but ...

> eg:
>
> saving password, take the md5 sum of the password and store it.
> reading password, take the md5 of the given password and check that
> against the db.

.... even better would be a salted hash. Unsalted hashes are easy to
crack, so it's not much of a difference to plain-text passwords.

Additionally a proper escaping is required in order to prevent SQL
injection attacks (see mysql_real_escape_string()). addslashes() should
be avoided.

Micha

--
http://mfesser.de/blickwinkel
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Sharetext
Next Topic: Import values from XML file
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Wed Nov 27 05:37:39 GMT 2024

Total time taken to generate the page: 0.04065 seconds