Jump to content


Photo

Why is password query different from username query?


  • Please log in to reply
5 replies to this topic

#1 programguru

programguru
  • Members
  • PipPipPip
  • Advanced Member
  • 133 posts

Posted 02 March 2006 - 02:10 AM

I am writing as script, and learing as I go along, but I was looking at some examples, and I wanted to know why the passward is queried the way it is below - notice it is different than the username query.. here is the code (any ideas?):

$result = mysql_query("select * from writers
                            where username='$username'
                            and password = password('$password')");

I assume password is a function, but unsure?
THIS FORUM KEEPS PUTTING ME IN MY PLACE!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

#2 trq

trq
  • Staff Alumni
  • Advanced Member
  • 31,041 posts

Posted 02 March 2006 - 02:17 AM

From the mySql manual.
[!--quoteo--][div class=\'quotetop\']QUOTE[/div][div class=\'quotemain\'][!--quotec--]
PASSWORD(str)

Calculates and returns a password string from the plaintext password str and returns a binary string, or NULL if the argument was NULL. This is the function that is used for encrypting MySQL passwords for storage in the Password column of the user grant table.

mysql> SELECT PASSWORD('badpwd');
-> '*AAB3E285149C0135D51A520E1940DD3263DC008C'

PASSWORD() encryption is one-way (not reversible).

PASSWORD() does not perform password encryption in the same way that Unix passwords are encrypted. See ENCRYPT().

Note: The PASSWORD() function is used by the authentication system in MySQL Server; you should not use it in your own applications. For that purpose, consider MD5() or SHA1() instead. Also see RFC 2195 for more information about handling passwords and authentication securely in your applications.
[/quote]

#3 programguru

programguru
  • Members
  • PipPipPip
  • Advanced Member
  • 133 posts

Posted 02 March 2006 - 03:04 AM

Thanks Thorpe,

So basically, the this just encrypts the password so it was not easily traced in a MySQL db. Meaning if I had the db, and queried the password field, I would see binary numbers only?

ALSO, had another question re the same page I am creating. I have coded this based off some examples I have put together. I have also commented to show you my understanding of each function etc. If you could briefly explain if I am right or wrong, just trying to really nail these concepts.


{
    global $HTTP_SESSION_VARS;
       // this checks if there is an existing session globally, and carries the parameters over

    if (isset($HTTP_SESSION_VARS['auth_user']))
       // if  the variable is set, check the global $HTTP_SESSION_VARS; for (actually Im not sure where       "auth_user" came from?)

        return true;
    else
        return false;
 }    


THIS FORUM KEEPS PUTTING ME IN MY PLACE!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

#4 trq

trq
  • Staff Alumni
  • Advanced Member
  • 31,041 posts

Posted 02 March 2006 - 03:32 AM

The global keyword makes the variable $HTTP_SESSION_VARS available globally, not checks to see if it exists. Why are you using $HTTP_SESSION_VARS anyway? You should (unless your using some archiac version) use the $_SESSION superglobal.

As for the other bit.... If your not sure where auth_user came from, your really missing the concepts. Sorry, but....

Maybe you need to do some tutorials on sessions?

#5 programguru

programguru
  • Members
  • PipPipPip
  • Advanced Member
  • 133 posts

Posted 02 March 2006 - 03:55 AM

[!--quoteo--][div class=\'quotetop\']QUOTE[/div][div class=\'quotemain\'][!--quotec--]Maybe you need to do some tutorials on sessions?[/quote]

I could not agree more. I have 4 PHP books, and PHP.NET, PHP.FREAKS, etc etc, and have read so much, but I think I am lacking the full basics. I know there are some tutorials on here. If you know of any good ones on sessions, please let me know.

Anyways, in regards to:
if (isset($HTTP_SESSION_VARS['auth_user']))

I can't find a straight answer anywhere. If you know what it means, please give any insight.



THIS FORUM KEEPS PUTTING ME IN MY PLACE!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

#6 trq

trq
  • Staff Alumni
  • Advanced Member
  • 31,041 posts

Posted 02 March 2006 - 04:52 AM

Well, I wouldn't use $HTTP_SESSION_VARS for starters. Lets use the $_SESSION array. Yes, its an array, just like any other. So, auth_user is an array index or key just like any other. eg..
$myarray = array();
$myarray['name'] = 'bob';
Here you have an array ($myarray). I can print the name value by using...
echo $myarray['name'];
Sessions are basicaly the same, except the array is already created, and is global. To use it, first you need to check if a session already exists, and if not create one. This is what session_start() does. Then its just a matter of storing whatever you like in the $_SESSION array. eg...
session_start();
$_SESSION['name'] = 'bob';
echo $_SESSION['name'];
Really, its pretty simple. The $_SESSION array is just like any other, though its global.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users