Php - compare password with root password

Question

Hopefully this is simple. I am trying to grant administrative power to the user if they are able to provide the 'root' password. Is there a way to compare this newly entered password with the root password? this is what my code looks like so far:

<form action='index.php?login=yes' method=POST>
Password: <input type=password name='pwd'><br />
<input type=submit value='Login' />
</form> 

<?php

    $pass=$_POST['pwd'];
    $login=$_GET['Login'];

    if($login=='yes') {

        $con=mysql_connect('localhost','root','');
        mysql_select_db('Login');

        $get=mysql_query("SELECT count(id) FROM Login WHERE pwd = '$pass'");
        $result=mysql_result($get, 0);

        mysql_close($con);

        if($result!=1)
            echo"Login Failure!";
        else {
            echo"Login Success";
        };  
    };
?>
</p>

Please be gentle because PHP is a lot different than i'm used to (i prefer java). Thanks!

You are storing plaintext passwords and you aren't escaping user input. These are very dangerous things to do. Please go back and read some basic tutorials on password hashing and salting, and how to avoid SQL injection before writing more code. — NullUserException, Apr 24 '12 at 04:38
@NullUserException, Can you explain? I knew it was not the best, I am still learning... — MellowFellow, Apr 24 '12 at 04:39
He asked to be gentle.... @MellowFellow: You can use `mysql_real_escape_string` or do parameter binding, e.g., using PDO abstraction. — Brett Zamir, Apr 24 '12 at 04:41
You're not even checking to see what username the password matches?! What if another user has the same password as root (by chance); do they get to login as root too??? — AJ., Apr 24 '12 at 04:44
@brettz9 The OP said they are familiar with Java. But both of these concepts (hashing and SQL injection) are equally important in Java and PHP. I'm sorry if this sounds harsh, but not knowing these things belies a lack of basic programming knowledge. And that might even be an understatement. — NullUserException, Apr 24 '12 at 04:45
@MellowFellow Here are two answers I wrote about these concepts: [hashing](http://stackoverflow.com/questions/9878289/drupal-7-password-hash/9878441#9878441) and [SQL injection](http://stackoverflow.com/questions/7505808/using-parameters-in-sql-statements/7505895#7505895). There are lots of resources on the Internet and even Stack Overflow itself. — NullUserException, Apr 24 '12 at 04:48
I have been trying to solve this myself, this was a last-resort. @AJ ,I was attempting to understand the password first then attempt the username. nulluserexception, while they may be similar, this seems completely different to me. I have taught myself everything I know, so there is a possibility that i do "lack basic programming knowledge" . — MellowFellow, Apr 24 '12 at 04:53
You might find this post on [storing passwords](http://www.codinghorror.com/blog/2007/09/youre-probably-storing-passwords-incorrectly.html) useful — Anirudh, Apr 24 '12 at 06:11

score 2 · Accepted Answer · answered Apr 24 '12 at 05:06

You should definitely consider hashing the password, with a salt. The md5() algorithm isn't really recommended for secure environments but it does at least make the job harder.

When saving your password in the database, you should do something like

$salt = 'dhg1d9h12h1029he01h2e1'; // Just have something random and long here
$hashedpassword = md5($salt.md5($password, true)); // Or any other combination you like here

Then, you can save $hashedpassword into the database like so:

mysql_query(sprintf("UPDATE Login SET pwd = '%s' WHERE username = '%s'",  
    mysql_real_escape_string($hashedpassword),  
    mysql_real_escape_string($username)
));

Then when you want to check if a password matches, do the exact same step as above to calculate the $hashedpassword value but pass in their test password and then compare that with what's in the DB, eg:

$result = mysql_query(sprintf("SELECT (pwd = '%s') AS authenticated FROM Login WHERE username = '%s'",
    mysql_real_escape_string($hashedpassword),
    mysql_real_escape_string($username)
));
$row = mysql_fetch_assoc($result);
if ($row['authenticated']) {
    echo "Success!";
}

Aaaanyway, you look like you're just starting out, so I'd be very careful how you go with actual password verification. From what I understand bcrypt2 is what you want to use instead of md5, but I'll leave you to read up on how to do that in PHP; you should definitely read up on this stuff.

I'd also check the structure of your login table. You probably want more than a single user in it, otherwise why not just store the hash in the code itself, rather than the DB?

Also, you can determine if someone is submitting a form or getting the form by checking if $_SERVER['REQUEST_METHOD'] == 'POST', which is cleaner than using a get URL parameter (though I guess there's nothing wrong with the other approach...)

Much appreciation man, I took my time and researched everything that didn't look familiar to me. Thank you for teaching me what those youtube videos don't :D — MellowFellow, Apr 24 '12 at 06:20

Php - compare password with root password

1 Answers1