#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2012
    Posts
    8
    Rep Power
    0

    Exclamation Need a little help


    Hy 2 all,

    I'm trying to write a registration/login system but I seem to have an error i cannot find.

    I'm using sha1 encryption for the password. The registration works like a charm. It inserts the users info + the encrypted password without any errors.
    BUT when i try to login it doesn't work. The thing is that when i remove the encryption (from the registration and the login), I can register and login just fine.

    Does anyone have any ideas ?

    I am using Aptana Studio 3 and XAMPP 1.7.7

    Here are the codes:

    REGISTRATION:

    Code:
    <?php
    include('config.php');
    
    if($_SERVER['REQUEST_METHOD'] == 'POST'){
    	$username = mysql_real_escape_string($_POST['username']);
    	$password = mysql_real_escape_string(sha1($_POST['password']));
    	
    if(empty($username)){
    	echo("You must fill in a username!");
    }else{
    	if(empty($password)){
    	echo("You must fill in a password!");
    }else{
    	$query = mysql_query("SELECT * FROM users WHERE username='$username'");
    	$rows = mysql_num_rows($query);
    	if($rows > 0){
    		die("Username taken!");
    	}else{
    		$user_input = mysql_query("INSERT INTO users (username, password) VALUES ('$username' , '$password')");
    		echo "Succesfully registered!";
    	}
    }
    }
    }
    ?>
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
    "http://www.w3.org/TR/html4/loose.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    	<head>
    		<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    		<title>Register</title>
    	</head>
    	<body>
    		<form action="register.php" method="post" />
    		Username: <input type="text" name="username" /><br />
    		Password: <input type="password" name="password" /><br />
    		<input type="submit" value="Register!" />
    	</body>
    </html>
    and here is the LOGIN:

    Code:
    <?php
    include('config.php');
    
    if($_SERVER['REQUEST_METHOD'] == 'POST'){
    	$username = mysql_real_escape_string($_POST['username']);
    	$password = mysql_real_escape_string(sha1($_POST['password']));
    	
    	$query = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'");
    	$query_rows = mysql_num_rows($query);
    
    if($query_rows > 0){
    	echo "Succesfull login!";
    	session_start();
    	$_SESSION['login'] = "1";
    }else{
    	echo "Bad login!";
    }
    }
    
    ?>
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
    "http://www.w3.org/TR/html4/loose.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    	<head>
    		<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    		<title>Login</title>
    	</head>
    	<body>
    		<form action="login.php" method="post" />
    		Username: <input type="text" name="username" /><br />
    		Password: <input type="password" name="password" /><br />
    		<input type="submit" value="Login!" />
    	</body>
    </html>

    Thanks in advanced!
  2. #2
  3. No Profile Picture
    I haz teh codez!
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Dec 2003
    Posts
    2,547
    Rep Power
    2337
    You do not need to escape something you're going to run through (or have run through) sha1.

    If possible you should use a stronger hash function, like sha256 or greater.

    You should salt your hash before saving in the database, and subsequently rebuilding the hash for comparison/login.

    Ensure your database column's password field is long enough to hold the entire hash.

    Comments on this post

    • nameless.1 agrees
    I ♥ ManiacDan & requinix

    This is a sig, and not necessarily a comment on the OP:
    Please don't be a help vampire!
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2012
    Posts
    8
    Rep Power
    0
    Originally Posted by ptr2void
    You do not need to escape something you're going to run through (or have run through) sha1.

    If possible you should use a stronger hash function, like sha256 or greater.

    You should salt your hash before saving in the database, and subsequently rebuilding the hash for comparison/login.

    Ensure your database column's password field is long enough to hold the entire hash.
    THANKS for the QUICK and VERY helpful answer!

    You were right. I was so focused on the code itself that I forgot that i made the database table length with only 11 characters.

    I know that sha256/sha512 with some salt is the way to go.Implementing sha512 and salt is what I'm trying to do right now. I was using sha1 just for testing purposes only .

    Thanks again!

IMN logo majestic logo threadwatch logo seochat tools logo