PostgreSQL Login Errors

Do you have questions regarding other database enginges (not MySQL) -- ask here!

Moderators: egami, macek, gesf

Post Reply
Monty51
New php-forum User
New php-forum User
Posts: 7
Joined: Mon Mar 12, 2018 9:26 am

Mon Mar 12, 2018 9:49 am

New to this forum. If this is the wrong area to post this question, please direct me to a more appropriate place.

I'm trying to code something that returns login errors. I'd like to be more specific than "something went wrong" and was hoping to use one of the pg_error* functions, but nothing returns anything. As a test, I've coded the following, which is an part of an action from a HTML form. The form gets the username and password and passes it to the script via the POST method:

$dbconn = pg_connect("dbname=<something> user=$_POST[username] password=$_POST[password] <etc...>") or
die ("Error: " . pg_last_error());

if ($dbconn == true) {
// Success message
} else {
// Failure message
}

This isn't returning anything visible to the screen. I've looked over the web for some examples but they seem pretty scarce that I can see. Maybe I'm not looking for the right thing.

Can anyone help me out on this? I'm learning both PostgreSQL and PHP at the same time and I could easily be missing something.

Thanks

User avatar
phpRob
New php-forum User
New php-forum User
Posts: 65
Joined: Mon Feb 26, 2018 7:15 am

Mon Mar 12, 2018 7:46 pm

Check the various "pg" functions at the php.net support site. I don't use pg, but read up on the functions that look like they may be useful. I see a pg_last_error and I see a few pg_result_??? functions. One of those may or may not apply. But really, aside from "pg" and about reporting login errors: if you think about it its kind of funny: we don't want to help people log in to our stuff that should not be logging in, right! hah! As such, let's not give meaningful errors or clues to help them guess how passwords are formatted or how many characters they should be. Same for usernames. You wanna really help them? Don't make them log-in at all! hah! (I'm having fun here, sorry.) So...why have a log in page....because it is a barrier to protect your site/app and its data and your interests and the interests of users who rely on you the developer to protect their data. So, its often best to let them sit there and receive no meaningful errors when a login fails. If they are guessing passwords, they deserve nothing. No help. This is where the "I forgot my password" functionality comes in for those who really can't recall credentials that are truly theirs.

Monty51
New php-forum User
New php-forum User
Posts: 7
Joined: Mon Mar 12, 2018 9:26 am

Tue Mar 13, 2018 4:29 am

A very similar thought occurred to me last night. I had found where PostgreSQL logs its error and did some experimenting. Turns out that no matter how I botch the login - wrong username or wrong password - the error log message was the same: password authentication failed for user <whatever>. After thinking about that for a bit I realized what an utterly simple method for compounding brute force logins.

Realizing that I put the question to bed and can get on with learning and developing.

Thanks for your input.

Monty51
New php-forum User
New php-forum User
Posts: 7
Joined: Mon Mar 12, 2018 9:26 am

Tue Mar 13, 2018 4:32 am

I believe the word I was looking for was "confounding", not "compounding".

Post Reply