- This topic is empty.
-
AuthorPosts
-
September 6, 2014 at 10:38 am #181907chrisburtonParticipant
I understand doing that with usernames, but why do it with passwords? That’s like the opposite of good password practice.
+1
September 6, 2014 at 11:10 am #181910__Participant- Passwords should allow any characters.
Never alter passwords the user submits: only accept or reject them. - Good passwords should have a minimum length (12+ characters; even more is even better).
To avoid problems with HTTP and/or DDOS attacks, a maximum length of 150 or so is acceptable. - Better passwords should include a good variety of characters (letters, numbers, punctuation).
- Passwords should never be single words, names, dates, quotes or song lyrics.
- Passphrases (i.e., whole sentences) are far, far, far better than passwords.
September 7, 2014 at 6:37 pm #182083chrisburtonParticipantNot to get too far off-topic but I’ve been watching this video tutorial series on creating a user system and it’s really awesome for learning about classes, functions and OOP. There’s 23 parts. You should take some time to watch it, @drose379.
I’ve also learned that when setting the host for a DB connection, it’s better to use
127.0.0.1
rather thanlocalhost
so the sever(?) doesn’t have to do a DNS lookup therefore, it’s faster.September 7, 2014 at 6:43 pm #182085chrisburtonParticipantSeptember 7, 2014 at 6:55 pm #182087chrisburtonParticipantYour PDO connection looks like this, correct?:
new PDO('mysql:host=localhost;dbname=database', $user, $pass);
Just change
localhost
with127.0.01
.September 7, 2014 at 7:20 pm #182088__Participantedit
I’m leaving the next four paragraphs because they have useful info. However, I misread your actual question, so what I worte isn’t directly relevant to what you’re asking (just listen to @chrisburton instead). So, feel free to skip this part:
Practically every computer you work with will use 127.0.0.1 as its local address. If you’re working between machines on your local network, it will be different.
As an aside, there shouldn’t be any measurable performance difference between typing
http://localhost
andhttp://127.0.0.1
. If you have multiple (or oddly configured) webservers running on your computer, or if you’re connecting to some other type of local server (e.g., a database server), then you might have problems… but in general, you shouldn’t.(You can edit your
hosts
file and use whatever domain name you like for your local sites. If you’re on windows, it’s usually at%SystemRoot%\system32\drivers\etc\hosts
; linux (and also mac AFAIK) are in/etc/hosts
. I usually set up local domain names for new projects.)Your webhost’s IP address can be found by using a whois lookup. Just google it. However, you probably do not want to use an IP address for your hosted website. Especially with shared hosts, it is highly unlikely that your site will be the only one using its IP address. The hostname is the only way you’ll be able to find your site reliably.
edit: start reading again here
your login script:
Yes, that’s how you use prepared statements.
However, that particular query is kind of useless. Why are you asking for the username when you already know the username? Why not ask for the password hash, so you don’t have to run a second statement just for that?
Have you sketched out an overall design for how your login process will work? I often use a process like this:
$sql = 'select password_hash from users where username=?'; // ...prep/execute statement... if( /* you got a result */ && password_verify( $password, $password_hash ) ){ /* log in */ /* tell them it worked */ } else{ /* waste some time */ time_nanosleep( 0, 500000000 ); /* tell them it failed */ }
September 7, 2014 at 7:25 pm #182089chrisburtonParticipantSeptember 7, 2014 at 7:36 pm #182090__ParticipantI misread the question. (sorry! edited my post.)
As far as lookup time goes, DNS lookup for “localhost” happens on your local machine (that’s what the
hosts
file is for), so it will actually be much quicker than DNS lookup for any address you visit on the web. Yes, if you use the IP address you don’t need to do a lookup at all, but you will never notice the difference in speed.Using the IP address for your DB connection actually has more to do with the possibility that “localhost” won’t successfully find your DB at all (so, yes, do it). “localhost” will either work or it won’t; it’s not a speed issue.
September 7, 2014 at 8:01 pm #182091chrisburtonParticipantThanks for the clarification. Can’t get it to work on Mamp when connecting to my DB. Either way, the author of the video makes it seem (even suggests ) that you’ll notice a difference. This is the kind of thing I hate about tutorials. Misrepresentation and misinformation.
September 7, 2014 at 9:24 pm #182094__ParticipantThis is the kind of thing I hate about tutorials. Misrepresentation and misinformation.
well… you win some, you lose some. In this case, it’s still good advice, even if the specific explanation doesn’t hold up. So, in the long run, whatever.
Was that vid from the series you recommended earlier? I watched the first three, and there were some things that weren’t great practice (mostly regarding the DB), but so far it seems like a solid tutorial and “smarter-than-the-av-er-age-bear” code. I’ll watch more later.
September 8, 2014 at 7:47 am #182134chrisburtonParticipantWas that vid from the series you recommended earlier?
Yes it is.
I watched the first three, and there were some things that weren’t great practice (mostly regarding the DB)
Can you elaborate?
September 8, 2014 at 11:07 am #182178__ParticipantHe stores JSON in a column to represent a map of permissions. This makes the data “opaque” to the database. For example, if you wanted to find all of the “admin” users, you could not query the database to do it: you’d have to select all of the users, parse the JSON, and then check. You can imagine how impractical this might become if you had hundreds or thousands of users, of if the average permissions map was very long.
Instead, user→permission maps should be stored in their own tables in the DB. This way, the database can search and index them:
create table users( id serial primary key, -- . . . ); create table permissions( name varchar(100) primary key, -- description, etc. ); create table user_permissions( userid bigint unsigned, permission varchar(100), primary key(userid, permission), foreign key(userid) references users(id), foreign key(permission) references permissions(name) );
I usually have a table of
group
s as well, which can assign several permissions at one go. There’s effectively only one group in this example, but it’d be nice if you could efficiently change that as needed in the future.He also didn’t index his tables beyond assigning a primary key, though he might address this later in the series. The username, for example, should be indexed because it is so likely to be used in a “where” clause in queries. It should also be
unique
so you don’t have to rely on the application to make sure usernames aren’t duplicated (doing this in the DB would not only be simpler, it would prevent race conditions).I also found it odd that he defined a global config, and then wrote a class to access it. It would have been so much better to just put the config array in the class.
…Watching a few more now.
September 8, 2014 at 11:11 am #182180chrisburtonParticipantAwesome clarification, @traq. This actually helps me with the comment system I’m building (slowly but surely).
The following is what I don’t understand
class Config { public static function get($path = null) { // Path is set to null if($path) { // Meaning, if $path is set to null? $config = $GLOBALS['config']; // Redefines the GLOBAL config to $config $path = explode('/', $path); // $path is redefined to what now? I thought it was null? ... } } }
https://www.youtube.com/watch?v=S6vDgLwJ7n8
Edit: Duh. I should have rewatched the video. The answer starts at 3mins.
September 8, 2014 at 12:40 pm #182191chrisburtonParticipantWhat’s with the quotes and single quotes (
'$username'
,"$pass"
)? They’re already a string. Where is$pass
coming from?September 8, 2014 at 12:53 pm #182195chrisburtonParticipant$query = "SELECT password FROM users WHERE username = :username";
The bind should happen on
$username
if I’m not mistaken.But where is
$pass
coming from - Passwords should allow any characters.
-
AuthorPosts
- The forum ‘Back End’ is closed to new topics and replies.