0

I have two tables: Userlogindetails(username, pass) Userdetails(email, username*)

-Bolded are PK's, asterix is FK

I am trying to do a forgotpassword PHP page with an sql statement. The user will enter their email address and the sql statement will check that the email is correct in Userdetails. Then the username in Userdetails will get matched with Userlogindetails to find the password. Will I need two statements?

Thanks

CJava
  • 189
  • 1
  • 5
  • 15
  • First of all, you need to get rid of "` matched with Userlogindetails to find the password`". Never store passwords, unless you are building a password vault. – GolezTrol Dec 04 '13 at 17:47
  • If there is a one to one relationship between the user and their login (which there seems to be since there are not other fields here), why not simply have a single table? – Mike Brant Dec 04 '13 at 17:48
  • @GolezTrol Storing of passwords is typical practice. However if you meant one should never store plaintext/unecrypted passwords, I would agree with you there. The passwords should always be subject to some form of hashing/encryption for storage. – Mike Brant Dec 04 '13 at 17:51
  • @MikeBrant Hashing, not encrypting. There is a big difference between the two. Encrypting means you can decrypt it. There is no such thing as de-hashing, apart from attempts to find *a* (not necessarily *your*) password that matches. You shouldn't store passwords, encrypted or not. Just store a hash and let the user set a new password when he forgets it. – GolezTrol Dec 04 '13 at 17:53
  • Yeah Adobe just got burned recently because they used encryption and not hashing http://slashdot.org/story/13/11/05/1655225/stolen-adobe-passwords-were-encrypted-not-hashed – mikey Dec 04 '13 at 17:54

1 Answers1

1

No (you don't need 2 statements), you can accomplish this with a SQL JOIN e.g.

SELECT b.pass FROM 
userdetails a
LEFT JOIN 
userlogindetails b 
ON a.username = b.username
WHERE a.email = <put user input here, use a parameterized query>

SQL JOINs:

http://www.w3schools.com/sql/sql_join.asp

As others have pointed out, you shouldn't store passwords in your database. Depending on your particular security needs, you'll need to decide if this is a good idea. Password + salt hashing technique for storage is discussed here:

https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet

mikey
  • 5,090
  • 3
  • 24
  • 27