Re: [PHP] Is this the best way?

14/03/2008, 18h44

What error are you getting? Maybe there's some way to fix that too.

Just remember that errors and notices are like pain. It usually means
there's something wrong. If you're getting an error, there may be a better
way of doing waht you're doing.

Ideally, you should get zero results if there's no match in the user database.

Typically for a user lookup, you might do something like this:

SELECT <whatever> FROM usertable WHERE username = '<username>' AND password =
'<password>'

If you get zero results, then they don't exist OR they entered the wrong
password.

If you get more than one result, then you have a duplicate account.

If you have duplicate usernames, then you won't get multiple matches unless
the passwords are also duplicated.

Say, for example, you have a duplicated username but different passwords:

user: me
pass: pass1

user: me
pass: pass2

Then login will succeed if they use me/pass1 OR me/pass2 but each way,
you'll still only get one result from your db query.

btw.. before someone rails me for not mentioning security... typically you'd
store the passwords encrypted or hashed (one-way md5 or something) then you
encrypt or hash the password the same when the user is logging in and
compare them to the DB. That way, you don't store the password in
plaintext and you can still check to see if the right password is entered.

example:

user: me
pass: pass1
md5(pass1): laksro2i3 (fake md5.. lazy

user logs in with:

user: me
pass: pass1

system runs md5(pass1) and gets laksro2i3 again. it matches what's in the
DB, so therefore is the correct password.

Anyway.. main point is.. if you're getting errors, try to fix them. If
you're getting multiple results on your user check, you may have bad
input/uniqueness checking or you may be implementing your user system not
as logically as you could.

-TG

----- Original Message -----
From: Jason Pruim <japruim@raoset.com>
To: "TG" <tg-php@gryffyndevelopment.com>
Cc: "PHP General List" <php-general@lists.php.net>
Date: Fri, 14 Mar 2008 13:00:11 -0400

> On Mar 14, 2008, at 12:51 PM, TG wrote:
>
> The username's will be unique... Still need to make that change to the
> DB but they will be.
>
> The main reason I'm doing it this way, is if I don't put in some kind
> of a check on the authentication then it pops up a mysql error saying
> that there is a problem with my syntax... instead of NOT logging them
> in... So I thought if I checked to make sure that the query only
> returned 1 row, it would match up and I could do some error checking
> based on that...

14/03/2008, 19h56

On Mar 14, 2008, at 1:44 PM, TG wrote:

>
> What error are you getting? Maybe there's some way to fix that too.

The error I get without checking the row count is this:

You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near 'order by LName' at line 1
>
>
> Just remember that errors and notices are like pain. It usually means
> there's something wrong. If you're getting an error, there may be a
> better
> way of doing waht you're doing.
>
> Ideally, you should get zero results if there's no match in the user
> database.
>
> Typically for a user lookup, you might do something like this:
>
> SELECT <whatever> FROM usertable WHERE username = '<username>' AND
> password =
> '<password>'

Which is very simular to what I have:

$loginQuery = "SELECT * FROM current WHERE loginName='".$user."' AND
loginPassword='".$password."' LIMIT 0,1;";
$loginResult = mysqli_query($link1, $loginQuery) or die("Wrong data
supplied or database error" .mysqli_error($link1));

>
>
> If you get zero results, then they don't exist OR they entered the
> wrong
> password.
>
> If you get more than one result, then you have a duplicate account.
>
> If you have duplicate usernames, then you won't get multiple matches
> unless
> the passwords are also duplicated.
>
> Say, for example, you have a duplicated username but different
> passwords:
>
> user: me
> pass: pass1
>
> user: me
> pass: pass2
>
>
> Then login will succeed if they use me/pass1 OR me/pass2 but each
> way,
> you'll still only get one result from your db query.
>
>
> btw.. before someone rails me for not mentioning security...
> typically you'd
> store the passwords encrypted or hashed (one-way md5 or something)
> then you
> encrypt or hash the password the same when the user is logging in and
> compare them to the DB. That way, you don't store the password in
> plaintext and you can still check to see if the right password is
> entered.

Which I have complete with some $salt added

>
>
>
> example:
>
> user: me
> pass: pass1
> md5(pass1): laksro2i3 (fake md5.. lazy

>
> user logs in with:
>
> user: me
> pass: pass1
>
> system runs md5(pass1) and gets laksro2i3 again. it matches what's
> in the
> DB, so therefore is the correct password.
>
>
> Anyway.. main point is.. if you're getting errors, try to fix
> them. If
> you're getting multiple results on your user check, you may have bad
> input/uniqueness checking or you may be implementing your user
> system not
> as logically as you could.

It was the error, rather then multiple accounts that I'm checking for.
I'm not advanced enough in my programming ability to implement a true
multi user envriomnent where user1/pass1 is different from user1/
pass2

>
>
> -TG
>
>
> ----- Original Message -----
> From: Jason Pruim <japruim@raoset.com>
> To: "TG" <tg-php@gryffyndevelopment.com>
> Cc: "PHP General List" <php-general@lists.php.net>
> Date: Fri, 14 Mar 2008 13:00:11 -0400
>
>> On Mar 14, 2008, at 12:51 PM, TG wrote:
>>
>> The username's will be unique... Still need to make that change to
>> the
>> DB but they will be.
>>
>> The main reason I'm doing it this way, is if I don't put in some kind
>> of a check on the authentication then it pops up a mysql error saying
>> that there is a problem with my syntax... instead of NOT logging
>> them
>> in... So I thought if I checked to make sure that the query only
>> returned 1 row, it would match up and I could do some error checking
>> based on that...
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

--

Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424-9337
www.raoset.com
japruim@raoset.com

14/03/2008, 18h44	#1
TG Messages: n/a Hébergeur:	Re: [PHP] Is this the best way? What error are you getting? Maybe there's some way to fix that too. Just remember that errors and notices are like pain. It usually means there's something wrong. If you're getting an error, there may be a better way of doing waht you're doing. Ideally, you should get zero results if there's no match in the user database. Typically for a user lookup, you might do something like this: SELECT <whatever> FROM usertable WHERE username = '<username>' AND password = '<password>' If you get zero results, then they don't exist OR they entered the wrong password. If you get more than one result, then you have a duplicate account. If you have duplicate usernames, then you won't get multiple matches unless the passwords are also duplicated. Say, for example, you have a duplicated username but different passwords: user: me pass: pass1 user: me pass: pass2 Then login will succeed if they use me/pass1 OR me/pass2 but each way, you'll still only get one result from your db query. btw.. before someone rails me for not mentioning security... typically you'd store the passwords encrypted or hashed (one-way md5 or something) then you encrypt or hash the password the same when the user is logging in and compare them to the DB. That way, you don't store the password in plaintext and you can still check to see if the right password is entered. example: user: me pass: pass1 md5(pass1): laksro2i3 (fake md5.. lazy user logs in with: user: me pass: pass1 system runs md5(pass1) and gets laksro2i3 again. it matches what's in the DB, so therefore is the correct password. Anyway.. main point is.. if you're getting errors, try to fix them. If you're getting multiple results on your user check, you may have bad input/uniqueness checking or you may be implementing your user system not as logically as you could. -TG ----- Original Message ----- From: Jason Pruim <japruim@raoset.com> To: "TG" <tg-php@gryffyndevelopment.com> Cc: "PHP General List" <php-general@lists.php.net> Date: Fri, 14 Mar 2008 13:00:11 -0400 > On Mar 14, 2008, at 12:51 PM, TG wrote: > > The username's will be unique... Still need to make that change to the > DB but they will be. > > The main reason I'm doing it this way, is if I don't put in some kind > of a check on the authentication then it pops up a mysql error saying > that there is a problem with my syntax... instead of NOT logging them > in... So I thought if I checked to make sure that the query only > returned 1 row, it would match up and I could do some error checking > based on that...

14/03/2008, 19h56	#2
Jason Pruim Messages: n/a Hébergeur:	Re: [PHP] Is this the best way? On Mar 14, 2008, at 1:44 PM, TG wrote: > > What error are you getting? Maybe there's some way to fix that too. The error I get without checking the row count is this: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'order by LName' at line 1 > > > Just remember that errors and notices are like pain. It usually means > there's something wrong. If you're getting an error, there may be a > better > way of doing waht you're doing. > > Ideally, you should get zero results if there's no match in the user > database. > > Typically for a user lookup, you might do something like this: > > SELECT <whatever> FROM usertable WHERE username = '<username>' AND > password = > '<password>' Which is very simular to what I have: $loginQuery = "SELECT * FROM current WHERE loginName='".$user."' AND loginPassword='".$password."' LIMIT 0,1;"; $loginResult = mysqli_query($link1, $loginQuery) or die("Wrong data supplied or database error" .mysqli_error($link1)); > > > If you get zero results, then they don't exist OR they entered the > wrong > password. > > If you get more than one result, then you have a duplicate account. > > If you have duplicate usernames, then you won't get multiple matches > unless > the passwords are also duplicated. > > Say, for example, you have a duplicated username but different > passwords: > > user: me > pass: pass1 > > user: me > pass: pass2 > > > Then login will succeed if they use me/pass1 OR me/pass2 but each > way, > you'll still only get one result from your db query. > > > btw.. before someone rails me for not mentioning security... > typically you'd > store the passwords encrypted or hashed (one-way md5 or something) > then you > encrypt or hash the password the same when the user is logging in and > compare them to the DB. That way, you don't store the password in > plaintext and you can still check to see if the right password is > entered. Which I have complete with some $salt added > > > > example: > > user: me > pass: pass1 > md5(pass1): laksro2i3 (fake md5.. lazy > > user logs in with: > > user: me > pass: pass1 > > system runs md5(pass1) and gets laksro2i3 again. it matches what's > in the > DB, so therefore is the correct password. > > > Anyway.. main point is.. if you're getting errors, try to fix > them. If > you're getting multiple results on your user check, you may have bad > input/uniqueness checking or you may be implementing your user > system not > as logically as you could. It was the error, rather then multiple accounts that I'm checking for. I'm not advanced enough in my programming ability to implement a true multi user envriomnent where user1/pass1 is different from user1/ pass2 > > > -TG > > > ----- Original Message ----- > From: Jason Pruim <japruim@raoset.com> > To: "TG" <tg-php@gryffyndevelopment.com> > Cc: "PHP General List" <php-general@lists.php.net> > Date: Fri, 14 Mar 2008 13:00:11 -0400 > >> On Mar 14, 2008, at 12:51 PM, TG wrote: >> >> The username's will be unique... Still need to make that change to >> the >> DB but they will be. >> >> The main reason I'm doing it this way, is if I don't put in some kind >> of a check on the authentication then it pops up a mysql error saying >> that there is a problem with my syntax... instead of NOT logging >> them >> in... So I thought if I checked to make sure that the query only >> returned 1 row, it would match up and I could do some error checking >> based on that... > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- Jason Pruim Raoset Inc. Technology Manager MQC Specialist 3251 132nd ave Holland, MI, 49424-9337 www.raoset.com japruim@raoset.com

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email