Login using a database

[Dark57]

So I'm trying to write a log in script using a database, are there exploits to using a database to store a password or is it pretty well hidden?  I guess what I'm asking is can someone without server access retrieve passwords from a database?

[premiso]

They can if you do not code for SQL Injection and do not Hash the password. It is very bad practice to store passwords in raw text in the database. The general practice is to hash them with md5 or sha1 with a random seed.

[Pikachu2000]

You won't want to store the actual password in a database, but rather a hash of it, using one of the many hashing algorithms available, preferably with a salt as well. The disadvantage is you can't retrieve the original value of a hash, you can only change it to a new hash if the user forgets their password. Still, it's the most common way of doing it.

 

You'll also want to be certain your code isn't vulnerable to SQL injection attacks, but that is true regardless of how you store the passwords. User-supplied data should never be placed directly into a db query. It should always be sanitized with mysql_real_escape_string/mysqli_real_escape_string, typecasting, etc. before being allowed anywhere near a query.

[Dark57]

I see, ok I guess I'm going to have to look up how to hash them then.  Another thing to add to my list of things to do...  Alright, thanks for the help.  I didn't want to start my login script without knowing whether or not I could make it secure.

 

I'm pretty new to this whole PHP coding as I've mainly stuck with C++ so I'm not so sure as to how a lot of this web security and server security go.