tomJO tomJO - 1 month ago 4
MySQL Question

Bad practise? Take row by username, then do validations if passwords match and then add to session?

$user = \App\User::where("name", $req->us)->firstOrFail();


then:

if(Hash::check($plain_text_password, $user->password)){
//add user to session
}
else{
//bad credentials
}


I'm aware of other methods available in Laravel, I'm asking about this specific situation.

Answer

There are two approaches.

Approach 1. You can add both username password in the where condition.

If the username and password not matching, The error message will be like "Invalid Username and password"

Approach 2. (Your approach). Get the user record from the user table using where("name", $req->us) and validate the password if(Hash::check($user->password, $user->password)). The advantage in this approach is you can show the error message like below.

  • If the username is not in the table, you can display error like "Invalid Username".
  • If the password is not matching, you can display error like "Invalid Password".

You can use any approach and from a security perspective you can go with the approach 1.