Home/ Questions/Q 6669301
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T03:08:01+00:00

This question has more to do with how I am setting up my server

  • 0

This question has more to do with how I am setting up my server side code for a simple login script. I’m interested in the best way to achieve my goal, which is of course to verify a users username and password against a database and present them with either a successful login, a registration page, or a username or password found, but the alternative is wrong.

Right now, I have it set up where my sql query scans the database for both the user and pass:

SELECT * FROM test WHERE userName='" + userName + "' AND pass='" + password + "'"

Problem with this approach is it either returns a true or false…I cannot tell if one of the inputs was correct and the other wasn’t. It either finds the record, or it doesn’t.

So I could query based on the username alone, and if found check the record for the correct password before passing the user onto a successful login. That way I know if the password is wrong, but I have no idea if the password is right and the user simply types the wrong username.

Alternatively, I could extend on that, and if the user isn’t found, requery the database based on the password and determine if I can find a record but the username doesn’t match. It seems like a lot of back and forth with the database, which is fine. But i’d like to hear from some experts on whether or not this is a proper approach.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You don’t want to disclose too many information to people with bad intents trying to probe your system for available usernames (or even – god forbid – passwords that are in use).

    When a login attempt failed, simply display a message stating:

    Username and/or password mismatch.

    As an aside, use prepared statements, rather than string concatenation when working with your database; it protects you from SQL injection attacks.
    Plus – although it’s not entirely clear from your code snippet – don’t store plain passwords or plain password hashes. Rely on one of the many available and well tested encryption/hashing libraries e.g. PHP’s crypt function (make sure you select a proper hashing function such as SHA512).

    Your code in the most simplest form would then look like this:

    // coming from your login page
$dbh = new PDO(…);
$sth = $dbh->prepare('SELECT `digest` FROM `users` WHERE `name` = :name LIMIT 1');
$sth->prepare(array( ':name' => $_POST['username'] ));
$result = $sth->fetch();

if($result !== FALSE && crypt($_POST['password'], $result['digest']) === $result['digest']) {
  printf('You logged in successfully as %s', htmlspecialchars($_POST['username']));
} else {
  echo 'Sorry, username and/or password did not match! Please try again.';
  sleep(1);
  exit;
}
    • 0