Reputation: 53
Php - compare password with root password
Hopefully this is simple. I am trying to grant administrative power to the user if they are able to provide the 'root' password. Is there a way to compare this newly entered password with the root password? this is what my code looks like so far:
<form action='index.php?login=yes' method=POST>
Password: <input type=password name='pwd'><br />
<input type=submit value='Login' />
</form>
<?php
$pass=$_POST['pwd'];
$login=$_GET['Login'];
if($login=='yes') {
$con=mysql_connect('localhost','root','');
mysql_select_db('Login');
$get=mysql_query("SELECT count(id) FROM Login WHERE pwd = '$pass'");
$result=mysql_result($get, 0);
mysql_close($con);
if($result!=1)
echo"Login Failure!";
else {
echo"Login Success";
};
};
?>
</p>
Please be gentle because PHP is a lot different than i'm used to (i prefer java). Thanks!
Upvotes: 0
Views: 273
Answers (1)
Reputation: 3225
You should definitely consider hashing the password, with a salt. The md5() algorithm isn't really recommended for secure environments but it does at least make the job harder.
When saving your password in the database, you should do something like
$salt = 'dhg1d9h12h1029he01h2e1'; // Just have something random and long here
$hashedpassword = md5($salt.md5($password, true)); // Or any other combination you like here
Then, you can save $hashedpassword into the database like so:
mysql_query(sprintf("UPDATE Login SET pwd = '%s' WHERE username = '%s'",
mysql_real_escape_string($hashedpassword),
mysql_real_escape_string($username)
));
Then when you want to check if a password matches, do the exact same step as above to calculate the $hashedpassword value but pass in their test password and then compare that with what's in the DB, eg:
$result = mysql_query(sprintf("SELECT (pwd = '%s') AS authenticated FROM Login WHERE username = '%s'",
mysql_real_escape_string($hashedpassword),
mysql_real_escape_string($username)
));
$row = mysql_fetch_assoc($result);
if ($row['authenticated']) {
echo "Success!";
}
Aaaanyway, you look like you're just starting out, so I'd be very careful how you go with actual password verification. From what I understand bcrypt2 is what you want to use instead of md5, but I'll leave you to read up on how to do that in PHP; you should definitely read up on this stuff.
I'd also check the structure of your login table. You probably want more than a single user in it, otherwise why not just store the hash in the code itself, rather than the DB?
Also, you can determine if someone is submitting a form or getting the form by checking if $_SERVER['REQUEST_METHOD'] == 'POST', which is cleaner than using a get URL parameter (though I guess there's nothing wrong with the other approach...)
Upvotes: 2
Related Questions
- PHP & MySQL compare password
- Comparing two Passwords in Registration form
- Verify User Password Matches Password in Database
- MySQL and PHP - Password Compare
- Using PHP to compare MySql Password()
- Check if password values are identical
- Comparing two passwords PHP
- php password, compare, return true or false
- MySQL password comparison from PHP
- Comparing passwords in php and sending it to a database