/    Sign up×
Community /Pin to ProfileBookmark

MySQL Storing Password

Copy linkTweet thisAlerts:
Nov 28.2005

ok I am going to make an admin center for my script. The admin password is going to be stored in a mySQL database. I’m going to get the password and check if its the same as the one enterted. The thing is I want to know if there is some special security feature I should use.

to post a comment
PHP

11 Comments(s)

Copy linkTweet thisAlerts:
@chazzyNov 28.2005 — one way encryption only.

you can write a function to encrypt passwords, use mysql's password function, etc. but don't store in clear text.
Copy linkTweet thisAlerts:
@NogDogNov 28.2005 — If you want to use the MySQL password function, it's pretty straight-forward. When you create/modify the user's password, you store it in the database:
[code=php]
# assume $user and $password have the user name and password values
$query = "INSERT INTO users SET name = '$user', password = PASSWORD($password)";
$result = mysql_query($query) or die(mysql_error());
if(mysql_affected_rows($result) == 1)
{
# added row successfully
}
[/code]
When checking the password:
[code=php]
$query = "SELECT * FROM users WHERE user = '$user' AND password = PASSWORD('$password')";
$result = mysql_query($query) or die(mysql_error());
if(mysql_num_rows($result) == 1)
{
# found exactly one match so we're good to go
}
[/code]
Copy linkTweet thisAlerts:
@acemoNov 28.2005 — the following code gives me this error:

You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ''users' WHERE 'user' = '' AND 'password' = PASSWORD('')' at lin

[code=php]
$query = "SELECT * FROM 'users' WHERE 'user' = '$user' AND 'password' = PASSWORD('$password')";
$result = mysql_query($query) or die(mysql_error());
if(mysql_num_rows($result) == 1){
[/code]

I dont know what mysql version my host is using.

Is there any command for checking the mysql version?

Did i do something wrong in this code?

Or someone kno a query that works wif all versions of mysql?
Copy linkTweet thisAlerts:
@NogDogNov 28.2005 — It would appear that $user and $password are not set (thus the empty quotes inside the relevant places in the query. Either change those variables to whatever you are using in your login script to store the login name and password input by the user, or change the variable names you use to store them.
Copy linkTweet thisAlerts:
@acemoNov 28.2005 — forgot to get the user name n password yah.

now, using this to get the user name and password into a variable

logging in with user name acemo and password password

the form:
<i>
</i>&lt;form action='&lt;?php echo $_SESSION['PHP_SELF'] ?&gt;' method='post'&gt;
&lt;fieldset&gt;
&lt;legend&gt;Log In&lt;/legend&gt;
&lt;p&gt;&lt;label for="username"&gt;User Name:&lt;/label&gt;
&lt;input name="username" type="text" size="16" maxlength="16"&gt;
&lt;/p&gt;
&lt;p&gt;&lt;label for="password"&gt;Password:&lt;/label&gt;
&lt;input name="password" type="password" size="16" maxlength="16"&gt;
&lt;/p&gt;
&lt;p&gt;&lt;input type="submit" name="submit" value="Log In"&gt;&lt;/p&gt;
&lt;?php
if(!empty($error))
{
echo $error;
}
?&gt;
&lt;/fieldset&gt;
&lt;/form&gt;

the script:
[code=php]
if(isset($_POST['submit']))
{
$user = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT * FROM 'users' WHERE 'user' = '$user' AND 'password' = PASSWORD('$password')";
$result = mysql_query($query) or die(mysql_error());
if(mysql_num_rows($result) == 1){
$_SESSION['logged'] = TRUE;
if(isset($_SESSION['caller'])) # if we got here from another page, go there
{
header("Location: " . $_SESSION['caller']);
exit;
}
else # otherwise go to main page
{
header("Location: index.php");
exit;
}
}
else # invalid login, so create error message
{
$error = "<p id='error'>ERROR: Invalid user name and/or password.</p>";
}
}
[/code]

the error:
<i>
</i>You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ''users' WHERE 'user' = 'acemo' AND 'password' = PASSWORD('passw
Copy linkTweet thisAlerts:
@NogDogNov 28.2005 — Use backwards quotes (or sometimes called back-ticks) around column and table names, not regular quotes:
[code=php]
$query = "SELECT * FROM users WHERE user = '$user' AND password = PASSWORD('$password')";
[/code]
(You probably only need the back-ticks around the password column name, as it is a reserverd word. But using it on all the table/column names doesn't hurt.)
Copy linkTweet thisAlerts:
@acemoNov 28.2005 — current code:
[code=php]
if(isset($_POST['submit']))
{
$user = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT * FROM users WHERE user = '$user' AND password = PASSWORD('$password')";
$result = mysql_query($query) or die(mysql_error());
if(mysql_num_rows($result) == 1){
$_SESSION['logged'] = TRUE;
if(isset($_SESSION['caller'])) # if we got here from another page, go there
{
header("Location: " . $_SESSION['caller']);
exit;
}
else # otherwise go to main page
{
header("Location: index.php");
exit;
}
}
else # invalid login, so create error message
{
$error = "<p id='error'>ERROR: Invalid user name and/or password.</p>";
}
}
[/code]

current error:
<i>
</i>Unknown column 'user' in 'where clause'


screenshot to my phpmyadmin:

[URL=http://80.60.218.3/phpmyadmin.jpg]http://80.60.218.3/phpmyadmin.jpg[/URL]
Copy linkTweet thisAlerts:
@SheldonNov 28.2005 — So is user a valid name in your database?
Copy linkTweet thisAlerts:
@Pixel-ArtistauthorNov 28.2005 — There is no user just a password.
Copy linkTweet thisAlerts:
@SheldonNov 28.2005 — Well you are trying to select a username from your database so you have to have a feild called "user" in the database, else you will just be selecting distinct passwords

[code=php]$query = "SELECT * FROM users WHERE password = PASSWORD('$password')";[/code]

but that will mean on your register script you would have to check that the password does not already exsist before you add it.


Then that means you can take hte username feild off your form



[b]But the best idea is to add a username feild to your database![/b]
×

Success!

Help @Pixel-Artist spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.19,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...