Jump to content

How to use php and sql to check if values match the ones in a table (for logins)

ghurty

By ghurty
in PHP Coding Help

Recommended Posts

ghurty Regular Member

ghurty

Posted
Posted

How would I code it that the script takes two variables that are passed to it (UserID and PIN), and checks the table to see if the PIN matches the one in the table. If it does it should assign the value "1" to a variable, if not a value "2".

 

This variable should then be passed back to the original calling script. (In a different PHP file).

 

What I have so far is:

$ID = $_SERVER["argv"][1]; 
$ID = trim($ID); 
$ID = ltrim($ID); 

$PIN = $_SERVER["argv"][2]; 
$PIN = trim($STATUS); 
$PIN = ltrim($STATUS);

$link = mysql_connect("localhost", "root", "passw0rd")
    or die("Data base connection failed");
mysql_select_db("test")
    or die("data base open failed");

 

I dont know the sql command to compare if the value passed on matches the current record.

 

Thanks

 

gevensen Member

gevensen

Posted
Posted 
function check_username_pin($username, $pin)
{
$query="SELECT id FROM table WHERE ( username = '$username' AND pin = '$pin' )";
// dont return pin because of hackers
$result=mysql_query($query);
if(mysql_num_rows($result)>0)
{
return(1);
}
return(2);
}

PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

You would need a query to find a row matching the ID, then if there is a matching row, test, using php code, if the PIN in that row matches what was entered.

 

You should however only specifically report if the ID or PIN did not match if you have bad attempt detection and account lockout because if you allow a hacker unlimited attempts at entering IDs, then unlimited attempts at entering PINs, he can just let a bot script perform a dictionary attack until he finds valid IDs and PINs.

 

 

gevensen Member

gevensen

Posted
Posted

like such

 

function check_username_pin($username, $pin)
{
$query="SELECT id FROM table WHERE ( username = '$username' AND pin = '$pin' )";
// dont return pin because of hackers
$result=mysql_query($query);
if(mysql_num_rows($result)>0)
{
return(1);
}
$query="SELECT id FROM table WHERE ( username = '$username'  )";
// dont return pin because of hackers
$result=mysql_query($query);
if(mysql_num_rows($result)==0)
{
return(2); // bad id
}
$query="SELECT id FROM table WHERE ( pin = '$pin' )";
// dont return pin because of hackers
$result=mysql_query($query);
if(mysql_num_rows($result)==0)
{
return(3); //bad pin
}
}

 

you can log each try to a table by ip and clear the tries upon success with x num on min or if you have too many tries go to a lost password routine or blacklist the ip until you are satisfied the user is real

i do that by emailing a code to the email on record and then they are blacklisted until the get the email and follow the link to clear the blacklist ip

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.