passwords

Hi, does anyone know how to do a check against an encrypted password by the password function? Specifically I want to use a query to see if the user has entered the correct password. Is there anyway to do this? I've used password('userspassword') to encrypt the password, now I need to know how to select records for passwords that match. Is there anyway to do it?

Thanks in advance,

<!--Jay//-->Jayseph Richardson
ETM Network - http://www.etmnet.com
Blizzard Nation - http://www.blizzardnation.com

I assume you are talking about the mysql function 'password()' as php doesn't have a password() function.

If so to do a compare you could build your query like.

select * from users where password=password(enteredpassword);

Sorry, yes I meant the mySQL password function and the query you suggest doesn't work. I've tried it before and it seems to not return any valid records.

Any other suggestions??

Yes. I forgot the '' around the password.

This IS tested and works:

select * from your_table where password=password('enteredpassword');

Rod

Hi, I'm tried that as well awhile back and again today and it doesn't seem to work either. Here is a little snippet of code

$query = "SELECT * FROM $userstable WHERE ACCOUNT_USERNAME = '$account_username' and ACCOUNT_PASSWORD = password('$account_password') ORDER BY ACCOUNT_NUMBER";

$result = mysql_query($query);

/* How many of these orders are there, if any? */
$number = mysql_numrows($result);

$i = 0;
if ($number == 0)
{

}
elseif ($number > 0)
{

}

The select statment always seems to return 0 records which causes it to go into the first if instead of the elseif. I've tried using the select statment below but it returns a true value no matter what the username and password are (which is the opposite problem).

$query = "SELECT count(*) FROM $userstable WHERE ACCOUNT_USERNAME = '$account_username' and ACCOUNT_PASSWORD = password('$account_password') ORDER BY ACCOUNT_NUMBER";

Any additional help would be appreciated.

I see one error and it might be a typo. It's not mysql_numrows() but mysql_num_rows().

Also you say the second query returns true. Does that mean you get a result id in $result? You only get false if there is an error, not if it's an empty set. If however you mean you get data returned then that means the num_rows thing was a typo... it also means I'm not sure what's wrong...


I don't use ANDs in the where clauses if I can help it. Unfortunately, because you've used the mysql password function to encrypt instead of a php md5() or encrypt() you have to do the encrypting in the query, which, unless you've made passwords unique, means you HAVE to use the AND in the query. That's one of the reasons I never use the mysql password() function outside of the mysql permissions table. I always use md5 and pull the record on the index (it's also faster and less overhead), then encrypt in the script. Kinda like this:

<?
$result=mysql_query("select * from users where uid='$uid');
$info=mysql_fetch_array($result);
if($info[password]!=md5($entpassword))
{
/* password invalid */
}else
{
/* password valid */
}

The other nice thing about that is you can use a char(32) field instead of a varchar(n) field in the table for the password field.

l8r

Rod