FUDforum: comp.lang.php

Home » Imported messages » comp.lang.php » php code

Show: Today's Messages :: Polls :: Message Navigator

Re: php code [message #177420 is a reply to message #177419]

Tue, 27 March 2012 03:54

Michael Fesser
Messages: 215
Registered: September 2010

Karma:

Senior Member

.oO(Denis McMahon)

> On Mon, 26 Mar 2012 08:05:29 -0700, shaurya077 wrote:
>
>> if($_SERVER["REQUEST_METHOD"]=="POST") {
>> $myusername=addslashes($_POST['user_name']);
>> $mypassword=addslashes($_POST['pass_word']);
>>
>> $sql="select id from userinformation WHERE username='$myusername' and
>> password='$mypassword' ";
>
> ewwwwww.
>
> at the very least, store some sort of hash of the p/w, and not the pw
> itself.

Correct, but ...

> eg:
>
> saving password, take the md5 sum of the password and store it.
> reading password, take the md5 of the given password and check that
> against the db.

.... even better would be a salted hash. Unsalted hashes are easy to
crack, so it's not much of a difference to plain-text passwords.

Additionally a proper escaping is required in order to prevent SQL
injection attacks (see mysql_real_escape_string()). addslashes() should
be avoided.

Micha

--
http://mfesser.de/blickwinkel

Report message to a moderator

[Message index]

		php code By: shaurya077 on Mon, 26 March 2012 15:05
		Re: php code By: J.O. Aho on Mon, 26 March 2012 16:21
		Re: php code By: Peter H. Coffin on Mon, 26 March 2012 16:03
		Re: php code By: Denis McMahon on Mon, 26 March 2012 20:49
		Re: php code By: Michael Fesser on Tue, 27 March 2012 03:54
		Re: php code By: Erwin Moller on Tue, 27 March 2012 08:37

Previous Topic:	Sharetext
Next Topic:	Import values from XML file

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Fri Sep 20 20:27:43 GMT 2024

Total time taken to generate the page: 0.03895 seconds