Need a little help

Dev Shed Forums Sponsor:

April 29th, 2012, 11:31 AM

nameless.1

Registered User

Join Date: Apr 2012

Posts: 8

Time spent in forums: 3 h 24 m 35 sec
Reputation Power: 0

Need a little help

Hy 2 all,

I'm trying to write a registration/login system but I seem to have an error i cannot find.

I'm using sha1 encryption for the password. The registration works like a charm. It inserts the users info + the encrypted password without any errors.
BUT when i try to login it doesn't work. The thing is that when i remove the encryption (from the registration and the login), I can register and login just fine.

Does anyone have any ideas ?

I am using Aptana Studio 3 and XAMPP 1.7.7

Here are the codes:

REGISTRATION:

Code:

<?php
include('config.php');

if($_SERVER['REQUEST_METHOD'] == 'POST'){
	$username = mysql_real_escape_string($_POST['username']);
	$password = mysql_real_escape_string(sha1($_POST['password']));
	
if(empty($username)){
	echo("You must fill in a username!");
}else{
	if(empty($password)){
	echo("You must fill in a password!");
}else{
	$query = mysql_query("SELECT * FROM users WHERE username='$username'");
	$rows = mysql_num_rows($query);
	if($rows > 0){
		die("Username taken!");
	}else{
		$user_input = mysql_query("INSERT INTO users (username, password) VALUES ('$username' , '$password')");
		echo "Succesfully registered!";
	}
}
}
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
	<head>
		<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
		<title>Register</title>
	</head>
	<body>
		<form action="register.php" method="post" />
		Username: <input type="text" name="username" /><br />
		Password: <input type="password" name="password" /><br />
		<input type="submit" value="Register!" />
	</body>
</html>

and here is the LOGIN:

Code:

<?php
include('config.php');

if($_SERVER['REQUEST_METHOD'] == 'POST'){
	$username = mysql_real_escape_string($_POST['username']);
	$password = mysql_real_escape_string(sha1($_POST['password']));
	
	$query = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'");
	$query_rows = mysql_num_rows($query);

if($query_rows > 0){
	echo "Succesfull login!";
	session_start();
	$_SESSION['login'] = "1";
}else{
	echo "Bad login!";
}
}

?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
	<head>
		<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
		<title>Login</title>
	</head>
	<body>
		<form action="login.php" method="post" />
		Username: <input type="text" name="username" /><br />
		Password: <input type="password" name="password" /><br />
		<input type="submit" value="Login!" />
	</body>
</html>

Thanks in advanced!

April 29th, 2012, 12:09 PM

ptr2void

I haz teh codez!

Join Date: Dec 2003

Posts: 2,511

Time spent in forums: 1 Month 2 Weeks 3 Days 2 m 27 sec
Reputation Power: 2274

You do not need to escape something you're going to run through (or have run through) sha1.

If possible you should use a stronger hash function, like sha256 or greater.

You should salt your hash before saving in the database, and subsequently rebuilding the hash for comparison/login.

Ensure your database column's password field is long enough to hold the entire hash.

Comments on this post

nameless.1 agrees!

__________________
I ♥ ManiacDan & requinix

This is a sig, and not necessarily a comment on the OP:
Please don't be a help vampire!

April 29th, 2012, 12:30 PM

nameless.1

Registered User

Join Date: Apr 2012

Posts: 8

Time spent in forums: 3 h 24 m 35 sec
Reputation Power: 0

Quote:

Originally Posted by ptr2void

THANKS for the QUICK and VERY helpful answer!

You were right. I was so focused on the code itself that I forgot that i made the database table length with only 11 characters.

I know that sha256/sha512 with some salt is the way to go.Implementing sha512 and salt is what I'm trying to do right now. I was using sha1 just for testing purposes only

.

Thanks again!

Need a little help

Developer Shed Advertisers and Affiliates