|
|
Posted by J.O. Aho on 12/17/06 22:44
Dave Nash wrote:
> On Fri, 15 Dec 2006 10:02:59 +0100, "J.O. Aho" <user@example.net>
> wrote:
>>> This is my query.
>>> "select userid from users
>>> where u_name='" . $_SESSION['u_name'] . "' and p_word='" .
>>> $_SESSION['p_word'] . "'"
>> IMHO it's not good to store passwords in a session, the session can be
>> readable for the wrong persons on the web server and those someone can get the
>> passwords. I wouldn't store passwords as plain text in a database for the same
>> reason, MD5() is a good function in the SQL and PHP, store the password in
>> MD5 format in the database.
>
> This has totally lost me.
> Is this option in replace of the following login script.
> // query for a user/pass match
> $result=mysql_query("select userid from users
> where u_name='" . $_SESSION['u_name'] . "' and p_word='" .
> $_SESSION['p_word'] . "'");
Yes, you should avoid to store the password in $_SESSION['p_word'], if the
login did work, then the password was right and you get the userid value,
store that into the session instead of the password and next time you need to
fetch something that has to do with the current user, you use the
$_SESSION['userid'] in your sql query.
1. query database to see if there is an username and password that matches
with what the user entered in the form
2. store userid into $_SESSION
3. Use for further sql-queries the userid that you stored in $_SESSION
--
//Aho
Navigation:
[Reply to this message]
|