Login | Register   
LinkedIn
Google+
Twitter
RSS Feed
Download our iPhone app
TODAY'S HEADLINES  |   ARTICLE ARCHIVE  |   FORUMS  |   TIP BANK
Browse DevX
Sign up for e-mail newsletters from DevX


Tip of the Day
Language: SQL
Expertise: Intermediate
May 23, 2005

Using a MySQL Database to Validate Usernames and Passwords

A common mistake many developers make is using their MySQL database to validate a user name and password combination.

Here's a typical SQL query checking for the existence of a user trying to login:


SELECT 1 FROM <USERTABLE> WHERE USERNAME="<USERNAME>" AND 

USERPASSWORD="<USERPASSWORD>"
If a record matches, the database returns that record and the process continues.

But in MySQL, the above query allows a person with knowledge of the just the USERNAME alone to gain access to the system without much difficulty.

For instance, suppose a user keys in the value for USERNAME as <USERNAME>##" and for PASSWORD, he keys in anything. Because MySQL interprets the character "##" as a comment, the query is terminated when the "##" character is found and there definitely will be a record matching just the username. The query thus returns a record and allows this user to login.

Here's an effective query:


SELECT 1 FROM <USERTABLE> WHERE USERNAME="<USERNAME>"
Always be sure to check whether the username contatins a character like "##" and throw an appropriate error before even sending it to the database.

MS Sridhar
 
Comment and Contribute

 

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Sitemap