senca99 Posted February 21, 2014 Share Posted February 21, 2014 Hey, I was having some trouble in finding the logic in this: I have a login form (php) and a mySQL database storing the username and password. Problem is that my database is also protected because logically you don't want username's and/or passwords to be public. This means that when someone tries the login form, it is impossible to check if he has correct credentials because this would imply that the db password should be used also to grant access to the database. How to overcome this issue? Quote Link to comment Share on other sites More sharing options...
jairathnem Posted February 21, 2014 Share Posted February 21, 2014 Traditionally what used to be done was encrypt the passwords here is the logic when registering/changing the password is encrypted(say MD5 or SHA1) and stored to DB, when logging in the logged in password field is encrypted again and matched with the value in the DB. Since the encryption is one-way it was difficult to crack it. Note : this is old and it can be cracked easily now-a-days. You are better of using rredefined password libraries used by wordpress, joomla..etc. Quote Link to comment Share on other sites More sharing options...
senca99 Posted February 21, 2014 Author Share Posted February 21, 2014 (edited) Thank you for your reply. That was the method I had in my head to but it looks so unsafe to me. Is there any way to overcome this? A safer way only using php and mysql? When I think about it I can't see any other way than the traditional one. Even with the use of Joomla, WordPress,... there still has to be a loginform and a database so doesn't that mean this also is the traditional way of doing things? Edited February 21, 2014 by senca99 Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted February 21, 2014 Share Posted February 21, 2014 the database connection username/password is only known to your application code and the database and is only used to authenticate the connection between your application code and the database. the database connection username/password has nothing to do with the visitor's username/passwords that your application stores in a database table and uses to authenticate the visitor. Quote Link to comment Share on other sites More sharing options...
jairathnem Posted February 21, 2014 Share Posted February 21, 2014 I think the answer is Bcrypt. more info here : http://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.