Password look up

Question

Need a bit of help with a form. I have created a form which require log in. Once a person has logged in they complete the form and then someone else checks the form and enters there password before the form is submitted.

I have set up some rules which checks the fields are completed correctly and I want to write some code that will check the password field is completed and then check it against the stored passwords in the database.

So far I have got this.

    if (!empty($_POST['password']))
{


/*connect to database to check password is valid*/
    $user_name = "contains username for database";
    $pass_word = "contains password";
    $database = "name of database";
    $server = "localhost";

    $db_handle = mysql_connect($server, $user_name, $pass_word);
    $db_found = mysql_select_db($database, $db_handle);

    if ($db_found) {

        $uname = quote_smart($uname, $db_handle);
        $pword = quote_smart($pword, $db_handle);

        $SQL = "SELECT * FROM masterpass WHERE password = $password";
        $result = mysql_query($SQL);
        $num_rows = mysql_num_rows($result);

        if ($result) {
            if ($num_rows > 0) {
                continue;
            }
            else {
                $error = true;



  }

Not sure if I am going about this the right way so any help would be great.

Thanks in advance Matt

Sorry I am a bit of a newbie here so not really sure what I am doing. — Mattrsa, Jul 08 '11 at 11:17
Don't *ever* store the password. Only store a properly salted Hash of the password. Even better: [somebody has already taken care of all the details](http://stackoverflow.com/questions/1581610/help-me-make-my-password-storage-safe) -> use PHPpass — Jacco, Jul 08 '11 at 11:23

score 2 · Accepted Answer · answered Jul 08 '11 at 11:10

2

for starters, first you create $pword:

$pword = quote_smart($pword, $db_handle);

and in your query you use $password.

$SQL = "SELECT * FROM masterpass WHERE password = $password";

This can't work.

Secondly, you should ask for username AND password in your query.

Last but not least: never save a password in clear text in your database. Generate a MD5 hash!

answered Jul 08 '11 at 11:10

Sascha Galley

15,711
5
37
51

Thanks for the reply. I don't want to check username and password. I just want a password which a senior staff member can enter to confirm the data enter by the person who first logged to the page in is correct. Is this possible? – Mattrsa Jul 08 '11 at 11:14
1

The advise to never store the password as plain text is good. But a straight hash is not good enough; it needs a random salt. Also, MD5 is considered obsolete/broken (as is SHA1). See also: http://stackoverflow.com/questions/6472667/best-php-encryption-method-for-storing-user-passwords-in-a-mysql-table/6472676#6472676 – Jacco Jul 08 '11 at 11:39

score 1 · Answer 2 · answered Jul 08 '11 at 11:14

I have set up some rules which checks the fields are completed correctly and I want to write some code that will check the password field is completed and then check it against the stored passwords in the database.

No, you don't. Checking to see if the password is already in the database is not a very smart thing to do, as that opens your application to brute-forcing attacks. I could use your form to determine which passwords are used, and if I can get a list of your users, I can try each of those passwords to each of those users and get access.

Secondly, quote_smart is probably not smarter than mysql_real_escape_string. Use that instead.

Thirdly, as Sascha already mentions, please generate a hash. I wouldn't use MD5, but sha1 instead, but even using MD5 without salt already increases the security in your form dramatically.

My mantra on validating passwords is: make sure it's longer than 7 characters, that's it. Don't make assumptions on what password people should use. I hate it if I type in a password and some validation routine tells me I can't use {^ in my password.

Hi Thanks for the reply. The rule simply checks that something is entered into the password field and then checks it against stored values in the database. If nothing is entered into the password field and error will appear and the form will not be submitted. I will have to look into MD5 as I'm a novice when it comes to php — Mattrsa, Jul 08 '11 at 11:20

Password look up

2 Answers2