C and Cpp

 
Forums: » Register « |  User CP |  Games |  Calendar |  Members |  FAQs |  Sitemap |  Support | 
User Name:
Password:
Remember me



Go Back   Tutorialized ForumsDesktop ProgrammingC and Cpp

Reply
Add This Thread To:
  Del.icio.us   Digg   Google   Spurl   Blink   Furl   Simpy   Y! MyWeb 
Thread Tools Search this Thread Rate Thread Display Modes
 
Unread Tutorialized Forums Sponsor:
  #16  
Old August 12th, 2004, 02:53 PM
meat meat is offline
Contributing User
Tutorialized Newbie (0 - 499 posts)
 
Join Date: Jun 2004
Location: San Diego
Posts: 158 meat New User: is a brand new recruit and a unknown entity at this point. 
Time spent in forums: 1 h 15 m 3 sec
Reputation Power: 0
Send a message via Skype to meat
The $user and $pass vars are inputs from a html form. And the passes are stored in the SQL database. What this basicly does, is if the username pass match, go o to the index and set a session, if not, tell them wrong user and pass and exit the code.
__________________
@robertoross
github.com/bobbytables

Reply With Quote
  #17  
Old August 13th, 2004, 08:37 AM
Instinct Instinct is offline
Contributing User
Tutorialized Newbie (0 - 499 posts)
 
Join Date: Aug 2004
Posts: 4 Instinct New User: is a brand new recruit and a unknown entity at this point. 
Time spent in forums: < 1 sec
Reputation Power: 0
split it... first check username then password....

Code:
$sql=(SELECT user, pass FROM users WHERE username = ' ".$_POST['user']. ")

then report if username duznt exist

if username does exist, then check password by first storing the results from $sql as a variable ($infopasswrd for example), then check
Code:
if ($_POST['pass'] != $infopasswrd) {
echo "failed to login";
}
__________________
<!-- // Blah! // -->

Reply With Quote
  #18  
Old August 13th, 2004, 01:01 PM
meat meat is offline
Contributing User
Tutorialized Newbie (0 - 499 posts)
 
Join Date: Jun 2004
Location: San Diego
Posts: 158 meat New User: is a brand new recruit and a unknown entity at this point. 
Time spent in forums: 1 h 15 m 3 sec
Reputation Power: 0
Send a message via Skype to meat
and where exactly would infopasswrd come from? a worked array from the database?

Reply With Quote
  #19  
Old August 13th, 2004, 05:09 PM
Chippo Chippo is offline
Contributing User
Tutorialized Newbie (0 - 499 posts)
 
Join Date: Mar 2004
Location: Stockport, UK
Posts: 462 Chippo New User: is a brand new recruit and a unknown entity at this point. 
Time spent in forums: 23 h 32 m 47 sec
Reputation Power: 0
Send a message via MSN to Chippo
$infopassword
is the variable he has used for the password retreived in the query.

Reply With Quote
  #20  
Old August 14th, 2004, 12:09 AM
meat meat is offline
Contributing User
Tutorialized Newbie (0 - 499 posts)
 
Join Date: Jun 2004
Location: San Diego
Posts: 158 meat New User: is a brand new recruit and a unknown entity at this point. 
Time spent in forums: 1 h 15 m 3 sec
Reputation Power: 0
Send a message via Skype to meat
yah, I figured. and cool it works now. appreciate all of the help everyone.

Reply With Quote
  #21  
Old August 25th, 2004, 01:53 AM
Instinct Instinct is offline
Contributing User
Tutorialized Newbie (0 - 499 posts)
 
Join Date: Aug 2004
Posts: 4 Instinct New User: is a brand new recruit and a unknown entity at this point. 
Time spent in forums: < 1 sec
Reputation Power: 0
Glad to have helped

Reply With Quote
  #22  
Old August 25th, 2014, 08:28 PM
meat meat is offline
Contributing User
Tutorialized Newbie (0 - 499 posts)
 
Join Date: Jun 2004
Location: San Diego
Posts: 158 meat New User: is a brand new recruit and a unknown entity at this point. 
Time spent in forums: 1 h 15 m 3 sec
Reputation Power: 0
Send a message via Skype to meat
Talking Lets make it better :)

Hello young version of me! You posted this over 10 years ago. Since then you've gone on to be a competent engineer. I'm here to answer your (my) question with the experience and knowledge you've gained since then. Hope this helps.


First off, you're off to a good start. We just need to tighten some things up to make this even better code and land you that job.

The first thing that stands out to me is you need to get over cookies, just forget about them for a second. They will not help you in this situation as much as you're convinced they will.

I'm going to let you in on a little secret, PHP's $_SESSION uses a cookie under the hood FOR YOU. Crazy right?

What's happening is that PHP will set a cookie for you, typically with the name of PHPSESSID, and an auto generated ID. When you set values on your $_SESSION array (or another name is Hash or Dictionary), PHP will maintain that value for you.

Now another thing, keeping passwords in the database isn't a bad thing, but keeping the plaintext password (The password as the user typed it word for word) is horrifying. What if someone manages to steal your database? Now they have all of your users passwords!
One way to mitigate this is to do whats called hashing. When you "hash" something, you convert the string into what seamingly is random characters, but really there is interesting math going on to make those characters. And it's reproducible, it will make the same set of characters each time. But the best part is that it doesn't go the other way! (Kinda, we won't go into that).
So that means you can store your users hashed passwords, and if someone steals your database, they won't know the real password.

You can do this in PHP with: <? $hashed_password = md5($_POST['password']) ?>

So when a user logs in, your MySQL query will look like this!

PHP Code:
<?

$connection 
mysql_connect("localhost""meat""password")
$sdb mysql_select_db("forged")

$hashed_password md5($_POST['password'])
$query mysql_query("SELECT * FROM users WHERE email = '"$_POST['email'] ."' AND password = '"$hashed_password ."' LIMIT 1")

$results mysql_fetch_assoc($query)

if(
sizeof($results) > 0) {
  
header('Location: index.php')
} else {
  echo 
"Incorrect password!"
}

?>


Voila! Now your password is hashed and isn't reversable! Just remember to hash the password before you INSERT INTO users as well.

Now for the other thing that stands out to me, we have to sanitize those database inputs! We don't want you to end up with the name Bobby Tables now do we?

What does "Sanitize thoe database inputs" mean? Well when you allow a user to type in something and check it against your database, you're giving them the opportunity to do what's called a SQL Injection Attack. You can read about those here: http://en.wikipedia.org/wiki/SQL_injection

So how do we fix this in PHP? Well, we just remove the nasty characters from the form inputs the user submitted. For example!

PHP Code:
<?

$connection 
mysql_connect("localhost""meat""password")
$sdb mysql_select_db("forged")

$hashed_password md5($_POST['password'])
$safe_email mysql_real_escape_string($_POST['email'])
$query mysql_query("SELECT * FROM users WHERE email = '"$safe_email ."' AND password = '"$hashed_password ."' LIMIT 1")

$results mysql_fetch_assoc($query)

if(
sizeof($results) > 0) {
  
header('Location: index.php')
} else {
  echo 
"Incorrect password!"
}

?>


You'll notice that we didn't sanitize (also known as escape) the password, that's because the md5 function will only return alphanumeric characters. Which should be fine

Keep up the learning! Never stop, ever. Learn something every day. Who knows, you might end up working at a hosting company in 10 years.

- Bobby Tables

Reply With Quote
Reply

Viewing: Tutorialized ForumsDesktop ProgrammingC and Cpp > Password Protection Question


Developer Shed Advertisers and Affiliates


Thread Tools  Search this Thread 
Search this Thread:

Advanced Search
Display Modes  Rate This Thread 
Rate This Thread:


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
View Your Warnings | New Posts | Latest News | Latest Threads | Shoutbox
Forum Jump


Forums: » Register « |  User CP |  Games |  Calendar |  Members |  FAQs |  Sitemap |  Support | 
  
 

Powered by: vBulletin Version 3.0.5
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.

© 2003-2017 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap