PostgreSQL Login Errors

  • Thread starter Thread starter Anonymous
  • Start date Start date
A

Anonymous

Guest
New to this forum. If this is the wrong area to post this question, please direct me to a more appropriate place.

I'm trying to code something that returns login errors. I'd like to be more specific than "something went wrong" and was hoping to use one of the pg_error* functions, but nothing returns anything. As a test, I've coded the following, which is an part of an action from a HTML form. The form gets the username and password and passes it to the script via the POST method:

$dbconn = pg_connect("dbname=<something> user=$_POST[username] password=$_POST[password] <etc...>") or
die ("Error: " . pg_last_error());

if ($dbconn == true) {
// Success message
} else {
// Failure message
}

This isn't returning anything visible to the screen. I've looked over the web for some examples but they seem pretty scarce that I can see. Maybe I'm not looking for the right thing.

Can anyone help me out on this? I'm learning both PostgreSQL and PHP at the same time and I could easily be missing something.

Thanks
 
Check the various "pg" functions at the php.net support site. I don't use pg, but read up on the functions that look like they may be useful. I see a pg_last_error and I see a few pg_result_??? functions. One of those may or may not apply. But really, aside from "pg" and about reporting login errors: if you think about it its kind of funny: we don't want to help people log in to our stuff that should not be logging in, right! hah! As such, let's not give meaningful errors or clues to help them guess how passwords are formatted or how many characters they should be. Same for usernames. You wanna really help them? Don't make them log-in at all! hah! (I'm having fun here, sorry.) So...why have a log in page....because it is a barrier to protect your site/app and its data and your interests and the interests of users who rely on you the developer to protect their data. So, its often best to let them sit there and receive no meaningful errors when a login fails. If they are guessing passwords, they deserve nothing. No help. This is where the "I forgot my password" functionality comes in for those who really can't recall credentials that are truly theirs.
 
A very similar thought occurred to me last night. I had found where PostgreSQL logs its error and did some experimenting. Turns out that no matter how I botch the login - wrong username or wrong password - the error log message was the same: password authentication failed for user <whatever>. After thinking about that for a bit I realized what an utterly simple method for compounding brute force logins.

Realizing that I put the question to bed and can get on with learning and developing.

Thanks for your input.
 
I believe the word I was looking for was "confounding", not "compounding".
 
Back
Top