[RESOLVED] Couple Related Questions

brendan2b

Ok I didn't know where these pertained to best so I just stuck them all in the coding forum.

I have a couple of questions kind of related and was just wondering if someone out there has the knoweledge to answer them. I guarantee that someone has the answers but it is whether or not they are willing to help, so I thank you ahead of time.

question1:

I currently have the password of each user encrypted in my database using

md5();

Is it necessary to encrypt the username as well for increased security or is it pointless to do that?

question2:

How would I go about creating separate databases based on each user that registers for their unique information?

Also, is it better to do that than to create one database with multiple tables? I dont see what you would need that for so Im guessing multiple databases but I wasnt sure.

question3:

Also how do I change the data of the page based on username. Like i understand that

members.php?=$username

would be the information in the same row as $username, but how do you just create a page out of no where.

I have the page members.php and inside the page it pulls information out of a database based on the username/password. Does php recognize it and put that syntax in the url automatically or is there something I am missing. Thanks. Help is greatly appreciated.

NogDog

brendan2b wrote:
question1:

Is it necessary to encrypt the username as well for increased security or is it pointless to do that?

I suppose it would add another layer of security, which would be good. However, the question is whether or not you would ever need to retrieve the username as a query result (since md5() hashing is in effect a one-way encryption).

question2:

How would I go about creating separate databases based on each user that registers for their unique information?

Also, is it better to do that than to create one database with multiple tables? I dont see what you would need that for so Im guessing multiple databases but I wasnt sure.

Just one database with one set of tables. Each table that references some sort of user-specific data should include a column which refers to the primary key of the users table. This will keep things much easier to maintain and update, as well as backup and restore.

question3:

Also how do I change the data of the page based on username. Like i understand that
members.php?=$username
would be the information in the same row as $username, but how do you just create a page out of no where.

I have the page members.php and inside the page it pulls information out of a database based on the username/password. Does php recognize it and put that syntax in the url automatically or is there something I am missing. Thanks. Help is greatly appreciated.

The syntax of the URL would be something like:

members.php?name=username

. The user's name would then be available in the script as $_GET['name'], which you could then use as needed to control the content of the page.

brendan2b

Thank you very much NogDog. Your help is appreciated.

aaron_karp

Hi Brendan,

A couple answers:

1) It's pretty sufficient to encrypt just the passwords. However, for added security, some coders prefer to add a "salt" to the encryption. That means that whenever you encrypt a password, you pass in an extra piece of string. So if my $password = "ilovephp" instead of running md5($password) you would run md5($password . "z94w"); The reason for this is that every time you run md5 on a piece of text, it spits out the same result. And although it's nearly impossible to crack an md5 password with brute force (repetition), the hashes of many common passwords are well known. So if your database is broken into and your users' passwords are stolen, they can compare those hashed passwords to a list they have of millions of common hashes. If they find a match on "ilovephp"....bingo. But they most likely don't have "ilovephpz94w" on their list.

2) You almost certainly should not create a separate database OR table for each user. What you want is a separate ROW for each user. You have one database, named "main" then you have one table named "members" and inside the members table you create a new row for each member.

3) First things first. That query string. It should looke like members.php?[variable name]=[variable value] in other words members.php?name=aaron

Then in your script you can write:

echo $_GET['name']; // spits out "aaron" on the page

brendan2b

Thanks Aaron, I decided not to encrypt the usernames. Too much encryption when it isn't necessary.