I used this function to encrypt my password on the DB site:
update ucty set psswd = crypt ('some_pswd', gen_salt ('md5')) where uid = '1' ;
I am using this code in my PHP srcipt:
$ query = "Selection menu, Priyziski, nickname, psswd, UID FAD ucty Where nickname = '$ nickname' and psswd = crypt ('$ password', psswd);
Everything is fine, but I'm not sure this is the right way to protect my password
Any advice?
You are right; This is not the right way to secure your password not
-
You are encrypting the password as part of the query. It can be logged (in plain text), so it is very possible for intruders (or anyone to listen to your traffic) to see users' passwords in plain text.
"How can I stop it?" You can read your hashing on the server-side within your PHP code in the PHP manual.
Basically, you want your query to set a password like this:
UPDATE ucty SET psswd = $ head where UID = 1;
-
You are inserting the variable directly into the SQL statement, you did not mention what method you are using to query the database but you use it Want to do This is a safe way to slide into the data provided by the user (which is
$ nickname
and$ password
).This would be an example of a good way to use prepared statements:
$ query = "Selection menu, Prismisco, Surname, PSWD, UID". "FAD ucty" "WHERE surname =? And psswd =?"; $ Stmt = $ dbh- & gt; Ready ($ query); $ Stmt- & gt; Execute (Array ($ nickname, $ ished password));
Comments
Post a Comment