Posted by Rami Elomaa on 03/26/07 19:02

Erwin Moller kirjoitti:
> sathyashrayan wrote:
>
>> Dear group,
>>
>> For a log-in page I have created a mysql db and user registers
>> with a user name and password. The password field is encrypted with
>>
>> $passwd = sha1($_REQUEST['passwd']);
>>
>> I insert the $passwd in mysql_insert. The password gets
>> encrypted and stored in mysql. Now I want to check if the user has
>> entered the correct password when he logs in. How can I do that. Any
>> help is appreciated. Thanks in advance.
>
> How?
> Compare them of course.
> The fact that the password is encrypted doesn't make it something else than
> a string of bits.
>
> So:
> supose you have a table with userid and sha1_passwd:
>
> $passwd = sha1($_REQUEST['passwd']);
> $SQL = "SELECT userid FROM tblusers where (sha1_passwd = '".$passwd."');";

I'd select first the row that matches username and then compare the
password of that row to the sha'd password.

The problem with your method is that two users having the same password
(say "123abc" or "password") can collide. Usernames should be unique,
passwords shouldn't. (Furthermore, if a user tries to set a password and
system reports that it's taken, it opens an unwanted door...)

--
Rami.Elomaa@gmail.com
"Olemme apinoiden planeetalla."

[Back to original message]