PHP and MySQL compare password

Question

PHP and MySQL compare password

How to check if the user is entered in the correct password for login?

Here is what (out of many combinations ...) I am doing:

<?

$login = $_POST['login'];
$password = $_POST['password'];

mysql_connect('localhost', 'root', 'abc123');

mysql_select_db('aun_vox') or die(mysql_error());

$q = mysql_query("SELECT password FROM customer WHERE login='$login'");
$db_pass = mysql_result($q, 0);

if(md5($password) == $db_pass)
{
    echo "You did it.";
}

else echo "Wrong.";

?>

As I can see from the output, something is wrong in bit mysql_result, but I can not figure out the right way.

Someone can help.

+5

php mysql passwords login

Mussnoon Jan 28 '09 at 18:40

source share

5 answers

-, , - mysql_real_escape_string().

MySQL MD5 ?

SELECT login FROM customer WHERE login='$login' AND password = MD5('$password')

mysql_num_rows(), .

+2

BrynJ 28 . '09 18:52

:

. . , "Robert", "drop table"?. escaping-, ( ) .
. ( )
.

, , - :

$q = preparestatement ("SELECT id FROM customer WHERE login=? AND password=?");
bindvalue ($q, $_POST['login']);
bindvalue ($q, md5($_POST['password']));
$id = execprepared ($q);

if($id) {
    echo "You did it.";
} else {
    echo "Wrong.";
}

+1

Javier 28 . '09 18:51

FORM POST $_POST ['password']// // php/jsp/ ,

md5-, md45 ('{$ _ POST [' password ']}') = db; mysql ( " " ) , $_POST ['password'] mysqli_query mysqli_fetch_array, , .

0

Uday Hiwarale 12 . '13 21:25

, PHP 5.6, hash_compare.

 $users_password = hash(sha256,$salt.$post_password);

 if (hash_equals($users_dbpassword, $users_password)) {
      //pass is good
 } else {
       // pass failed
 }

http://php.net/manual/ru/function.hash-equals.php

0

Hariboo 30 . '16 12:08

Bill Karwin · Accepted Answer · 2009-01-28T19:02:43+0000

I see that you store the password hash in the database, but for other readers, never store passwords in plain text in the database. You do not want to be like Monster.com.uk !

, MD5(). SHA256. - PHP hash().

salt. . rainbow table.

mysqli mysql. Mysqli , SQL-.

. , :

$input_login = $_POST['login'];
$input_password = $_POST['password'];

$stmt = $mysqli->prepare("SELECT password, salt FROM customer WHERE login = ?");
$stmt->bind_param("s", $input_login);
$stmt->execute();
$stmt->bind_result($password_hash, $salt);

while ($stmt->fetch()) {
  $input_password_hash = hash('sha256', $input_password . $salt);
  if ($input_password_hash == $password_hash) {
    return true;
  }
  // You may want to log failed password attempts here,
  // for security auditing or to lock an account with
  // too many attempts within a short time.
}
$stmt->close();

// No rows matched $input_login, or else password did not match
return false;

, login = ? AND password = ?, . , , , - , .

, , , , .

@Javier , ( ) . .

MD5() PHP- - . . , , PHP.

PHP . , , . SQL-, , , . , !

, - PHP, ( PHP-), .

PHP and MySQL compare password

More articles: