使用MySQL数据库登录作为后端来验证站点上的管理员登录

Question

So I am building my first website that needs both an admin login portal and access to a simple MySQL database. I would like to ask if it is a terrible idea to basically use the access approved/denied system built into my DB to also verify the admin login.

Let me clarify,

<!--I basically want to do this:-->
<form action="verify.php">
<input type="text" name="username>
<input type="password" name="pass">
</form>

//verify.php
<?php
$user = $_POST['user'];
$pass = $_POST['pass'];
$connection = mysqli_connect("host", $user, $pass);
    if (//Connection success)
      //Allow login and load admin portal
    } else {
    //login fail
    }
?>

There might be some errors in the code, but I just wrote it here, consider it pseudo-code. I want to know if and why this is a bad idea besides the fact that if feels dirty. Yes, I know I would still need to encrypt the username and password for transfer.

Answer 1

Uhm, yes, it is a terrible idea. Here's why:

If you let the user login with an existing mysql user, you have a lot of security issues. Also you need to create a new mysql user for each user you want to add to your web application. You also need to consider the danger of mysql injections. ( http://en.wikipedia.org/wiki/SQL_injection )

You should better create a database for your application and create a user table. In this user table you can define your users username and password. Also you can define a user type. For example normal users and administrators, where only the administrators can login into your admin portal.

I recommend using a php framework for your application. It makes a lot of work much easier and your code much more secure.