How does your login function usually be written?

I know the practice is to query the password through the user name, if the right to log on successfully, then use a cookie to save the user ID and user name.
Is it a little easier to do this? What is the further approach?

Reply to discussion (solution)

It's all done!
Through the user query out the data, and then in the comparison data in the password, where the password of various encryption too!

The cookie part is gone, your way is too simple. Should be encrypted, which has the user UID and time IP and other flag bits!

When accessing, the program decrypts the data according to the cookie, and then compares it with the database, is not the same person logged in

You might want to add a bit of permission validation or something. The Rights Management module will be included in the general application. It is necessary to go to the login to verify the permission. Specific can refer to some source code.

Do I add a verification code to your level?

The basic practice is, and then the secret can be encrypted.

Do I add a verification code to your level?

Me too.

The simplest is to verify the user name and password, and then you can add the verification code can not be logged in the same time can be verified in the background blacklist
You can also limit the number of times a user enters an incorrect user name or password, and when the number of errors is too much, you can't log in for a certain amount of time. In fact, think carefully, the login function above can add things are still a lot of.

Be aware of SQL injection issues and do not use

SELECT Count (*) from user WHERE un = ' xxx ' and pw = ' xxx '

This method
Instead, query the specified user name first

and determine if the number of returned results is greater than 0
Then take the password (PW) to determine whether it is correct

Be aware of SQL injection issues and do not use

SELECT Count (*) from user WHERE un = ' xxx ' and pw = ' xxx '

This method
Instead, query the specified user name first

and determine if the number of returned results is greater than 0
Then take the password (PW) to determine whether it is correct

This is done correctly, this is the basic sign-in feature implementation method
Look at the above feeling are new Ah, I said a little bit of our experience, the general status after login does not use cookies, it should be the session, if the cookie is used tightly how to do? Has it ever been considered that cookies are vulnerable to attacks on the network, and of course passwords are not saved. For security will also set the operation of the session.cookie_httponly, speaking of the verification code, the most humane is the wrong one after the verification code input, a lot of large sites do so, and then to the user login failure statistics, according to the need to lock the user 1 years to operate.

Be aware of SQL injection issues and do not use

SELECT Count (*) from user WHERE un = ' xxx ' and pw = ' xxx '

This method
Instead, query the specified user name first

and determine if the number of returned results is greater than 0
Then take the password (PW) to determine whether it is correct

Why did you do it? Isn't it all the same?

Do I add a verification code to your level?

Add one more remember login

Be aware of SQL injection issues and do not use

SELECT Count (*) from user WHERE un = ' xxx ' and pw = ' xxx '

This method
Instead, query the specified user name first

and determine if the number of returned results is greater than 0
Then take the password (PW) to determine whether it is correct

Why did you do it? Isn't it all the same?

The variable is filtered at the time of receipt to prevent the design from being out of SQL

My more simple than you ...
Are basically LDAP-based authentication:
So just a little bit to judge the input, and then verify
Verify that the database has the data for this ID, no, it gets from LDAP and writes to the database ... There is a direct return to the relevant information to the session ...

The simplest is to verify the user name and password, and then you can add the verification code can not be logged in the same time can be verified in the background blacklist
You can also limit the number of times a user enters an incorrect user name or password, and when the number of errors is too much, you can't log in for a certain amount of time. In fact, think carefully, the login function above can add things are still a lot of.

Positive solution, password encryption, decryption read

