Hugh Van Der Vaal wrote: Sorry . . .
Paul Clapham wrote:And second, your query should be like "Select 1 from users where userid = ? and password = ?". Then if you get a record back, you know the userid/password combination is valid. Otherwise it isn't. Returning a password from the database to your application and comparing it there is also a security hazard.
Paul Clapham wrote:It's a security issue because a validated password is being transmitted over the network, basically.
But yes, you're right that the server application should be doing the hashing and salting of proposed passwords and comparing the result to what's in the database. It's just that the code posting isn't doing that, it passes the validated password back to the client.