QUOTE(JackOfAllTrades @ 29 Aug, 2008 - 02:29 PM)
When a user attempts to log in, you hash the value provided by the user -- as you did before you saved it -- and compare it to the hashed value stored in your database.
Sorry to horn in, but this has me wondering about a technique I'm trying.
I know that your way is the accepted way of doing it, but I'm wondering if it's really necessary. Since it's all happening server side anyway, and the user's password has to get to the server before it can be hashed, is there anything wrong with grabbing the password from the user and the database and comparing them? I'm not talking about doing it the way that (it appears) that others have done it. I'm talking about looking up the password by using the username. To block any insertion techniques, I still hash the password, so I'm wondering if this could have some vulnerability that I'm overlooking.
Here's some of my code:
CODE
if (($_POST['UName'] != "") and ($_POST['UPass'] != "")){
mysql_connect("127.0.0.1", "root", "mypassword") or die(mysql_error()); // Connect to database & table.
mysql_select_db("mydatabase") or die(mysql_error()) or die("A MySQL error has occurred.<br />Your Query: " . $your_query . "<br /> Error: (" . mysql_errno() . ") " . mysql_error());
$UN=$_POST['UName'];
$users = mysql_query("SELECT * FROM Security WHERE Username = '$UN'") or die("A MySQL error has occurred.<br />Your Query: " . $your_query . "<br /> Error: (" . mysql_errno() . ") " . mysql_error());
$thisuser = mysql_fetch_array( $users );
mysql_close();
$loginsalt = md5($_POST['UPass'].$thisuser['salt']);
$actualsalt = md5($thisuser['Psswrd'].$thisuser['salt']);
if ($loginsalt == $actualsalt) {
$_SESSION['logname'] = $thisuser['Username'];
$_SESSION['pwd'] = $thisuser['Psswrd'];
echo '<meta HTTP-EQUIV="REFRESH" content="0; url=accessgranted.php">';
}
}
29 Aug, 2008 - 12:29 PM
| 