A signup/login.php page

[Jack McKalling]

I don't know if you'd find it because I've learned it by my PHP & MySQL book :)So "meta tables" is just a word I made up, just to be able to call it by a name.

There is a database made by the installation, called "mysql"In this database there is information stored about protection of your data, including accountnames, hostnames, passwords and permissions.There are five tables in this database:

• user - contains permissions that count for all databases and tables. each entry for every valid account with username, hostname and password. MySQL denies access if the connection of an account isn't in this table.
• db - contains permissions for specific databases
• host - manages the access to  a database at the hand of the host
• tables_priv - contains permissions for specific tables
• columns_priv (language correction, it might be different because this was translated from Dutch) - contains permissions for specific columns

This is some sort of summary, I've translated it from my book and there may be more explainable texts that can be found on the internet

[justsomeguy]

That's not a "meta" table, it's a system table. I don't think it's a very good idea to mess around with the users table in the mysql built-in database. That table is for MySQL users, users that have access to connect to and use the database server. I have always created my own user table for every application, and everything I've seen like phpBB or blog software or image galleries or shopping carts do the same thing. If you start messing around with the mysql users table, you might make it so that you can no longer connect to MySQL. Or, someone can just create an account, and since they are actually creating a MySQL account, they can connect to and use another database. Messing with the mysql tables should be considered a security problem, as well as a potential stability issue.With regard to the code above, most things look good, but you are encrypting the password but then using the original password in the query. You will probably want to change this so that you are storing encrypted passwords in the database instead of plain-text passwords:

// Encrypt the password.$encrypted_pass = md5($pass);$result = mysql_query("SELECT * FROM table WHERE user_name='" . mysql_real_escape_string($user) . "' AND password='{$encrypted_pass}'");

I also escaped the user name to prevent people from trying to run SQL code by typing it into the user field. You don't need to escape the password because it's already been processed by md5, which will produce output that is safe for SQL queries. You will also want to change this next part, you should be using mysql_fetch_assoc instead of mysql_fetch_array, and you can also put the user name and password in the session to test on other pages:

if($row = mysql_fetch_assoc($result)){  echo "<center>";  echo "Hello";  echo "<br />";  echo $row['user_name'];  echo "<br />";  echo $row['comments'];  echo "</center>";    $_SESSION['user'] = $user;  $_SESSION['pass'] = $encrypted_pass;}

[Jack McKalling]

And so I explained that there are those system tables. With the code above I thought this could be an issue, when having more than one MySQL acount. I did meant making your own table with 'accounts' is better, and just using your own MySQL account for all the communication with the database(s) :)You probable would get one MySQL account from a webhost anyway..Am I right, justsomeguy?

[justsomeguy]

If you are on a shared host, most hosts will create a MySQL user for you with access to only your own database, you wouldn't even be able to read the mysql database. If you have complete control over MySQL you can do whatever you want, but if you are renting space then most likely you are using an account with limited access.

[deved]

Thanks for your suggestions so far (am currently inserting the code into the pages). I have another question regarding validating the forms with PHP. Is it possible?

[deved]

// Encrypt the password.$encrypted_pass = md5($pass);$result = mysql_query("SELECT * FROM table WHERE user_name='" . mysql_real_escape_string($user) . "' AND password='{$encrypted_pass}'");

If the password is encrypted on the database, is there a way of decrypting it, to forward on to a forgetful user?Disregard that question (you would obviously create a form to extract the data)

if($row = mysql_fetch_assoc($result)){  echo "<center>";  echo "Hello";  echo "<br />";  echo $row['user_name'];  echo "<br />";  echo $row['comments'];  echo "</center>";    $_SESSION['user'] = $user;  $_SESSION['pass'] = $encrypted_pass;}

<{POST_SNAPBACK}>

I can find any reference to 'mysql_fetch_assoc' , what's the advantage over 'mysql_fetch_array'? Edited June 21, 2006 by deved

[justsomeguy]

If the password is encrypted on the database, is there a way of decrypting it, to forward on to a forgetful user?

No, it's a one-way encryption. You would probably send them an email with a randomly generated link they can click on to change their password.

I can find any reference to 'mysql_fetch_assoc' , what's the advantage over 'mysql_fetch_array'?

I originally thought that mysql_fetch_array returned a numeric array only, which is why I was telling people to use mysql_fetch_assoc instead. I read up on mysql_fetch_array, and it looks like it defaults to returning an array that has both numeric keys as well as associative keys. So it doesn't look like there is much of an advantage, assuming the default behavior for mysql_fetch_array doesn't change. mysql_fetch_assoc will use a little less memory, but it's not a big deal.http://www.php.net/manual/en/function.mysql-fetch-assoc.php

[LittleNicky]

It wouldn't be that difficult to make a demonstration of how it works. If people would actually read it instead of asking questions about the same thing I might be persuaded to do one.

I would read it! In fact I did!Check out TutorialI felt this was very basic. It requires you to work a few things out, which was very frustrating! But now I've worked thorugh it and I understand it all and have changed and expanded it.By the way is it worth using more random variable names like using colors etc just to prevent hackers?

[ThePsion5]

This tutorial is alright, but it actually contains some significant flaws that we should be aware of:1. Using global variables - They prevent direct access to their pages by checking variables like so:

if($first_name != true && $email != 'yourEmail@somewhere.com'){print 'Not authorized, n00b!';}

Unfortunately, all I have to do is know your e-mail and i can access it anyway by typing:

www.site.com/login.php?first_name=IMAHACKERLOLOLOLZ&email=yourEmail@somewhere.com

And now I have access to all your stuff! Hope you didn't post your e-mail anywhere on the site, lol. I'll have to go through the rest and find anything else that's dangerous...