php login using 2 database tables

Question

I'm trying to make a login script using 2 database tables (authors and editors). I'll post an example of them: Table 1: authors

|id|username|password|
| 1|  user  |  xyz   |

Table 2: editors

|id|username|password|
| 1| editor |  abcd  |

I want to make a single login using these 2 tables. I tried to use:

SELECT * FROM authors, editors WHERE username='mysql_real_escape_string($username)' AND password='mysql_real_escape_string($password)'

but it didn't work. Is there another way that should work for me? Thank you.

Plaintext passwords? Using the massively out of date `mysql_query`? You're setting yourself up for disaster here. A guide like [PHP the Right Way](http://phptherightway.com/) outlines best practices when implementing things like this. — tadman, Mar 12 '14 at 23:27

score 2 · Answer 1 · answered Mar 12 '14 at 23:16

2

You shouldn't do it this way, use one table with in it a roleid or something like it. This will eventually break.

If you really want to do it, no matter what, I would suggest doing a select on the author's table first. No result? Query the editors table.

But as I said, don't do it.

answered Mar 12 '14 at 23:16

Chilion

4,380
4
33
48

Yes. Having a `users` table that relates to editor or author profiles is the best way to do this. – tadman Mar 12 '14 at 23:28

score 1 · Answer 2 · edited May 23 '17 at 11:49

1

Try to select from a table or from the other

SELECT * FROM authors a, editors b
WHERE (a.username='mysql_real_escape_string($username)' AND a.password='mysql_real_escape_string($password)') 
OR (b.username='mysql_real_escape_string($username)' AND b.password='mysql_real_escape_string($password)')

but i don't know if this will give you what you expect.

As side note i'd encrypt my password and use prepared statments to avoid risk of mysql injection either with PDO or mysqli, mysql functions are deprecated though

edited May 23 '17 at 11:49

Community

1
1

answered Mar 12 '14 at 23:17

Fabio

23,183
12
55
64

Yeah that's what i thought and indeed i said it might not give him what he expects, but i don't see other way for a single query when they should be two – Fabio Mar 12 '14 at 23:30
Run query A, then if no matches, query B. This whole design needs to get thrown out, though, it's flawed, not to mention terrifyingly insecure. User authentication and profile information are separate concerns. – tadman Mar 12 '14 at 23:31
Hash, don't encrypt passwords. – Funk Forty Niner Mar 13 '14 at 00:51

st__gen_server · Answer 3 · 2014-03-15T11:21:20.580

1

You can try the below

"select * from(select * from authors union all select * from editors) a 
 where username = " . "'" . mysql_real_escape_string($username) . "'";

Let me know how it goes. Happy coding

edited Mar 15 '14 at 11:21

answered Mar 12 '14 at 23:23

st__gen_server

597
5
9

php login using 2 database tables

3 Answers3