0

Notes:

  • I'm still fairly new to php
  • This login form seems to work perfectly fine if I don't hash the password.
  • I've tried md5, sha256 and now I've left it at sha1. None of these work.
  • I first used echo sha1("password"); to find out what the hash for my password would be, I then copied that hash and pasted it manually with phpMyAdmin. I'm not sure if this is what the issue is or not.

Anyways here is the code:

<?php
session_start();
require("config.php");

if(isset($_POST['submit'])) {

    $username = mysql_real_escape_string($_POST['username']);
    $password = sha1(mysql_real_escape_string($_POST['password']));

    $loginsql = "SELECT * FROM login WHERE username = '" . $username .
    "' AND password = '" . $password . "'";
    $loginresult = mysql_query($loginsql);
    $loginnumrows = mysql_num_rows($loginresult);

    if($loginnumrows == 1) {
        $loginrow = mysql_fetch_assoc($loginresult);
        session_register("USERNAME");
        session_register("USERID");

        $_SESSION['USERNAME'] = $loginrow['username'];
        $_SESSION['USERID'] = $loginrow['id'];

        header("Location: " . $config_basedir . "controlpanel.php");
    }
    else{
        echo "<p>Incorrect Login, please try again!</p>";
    }
}
else{

}
?>

I'm really not too sure where to go with this. I'm sure my code could be more efficient but as I mentioned in the notes, it does work when I don't hash the password. Thank you for reading.

Improve this question
8
  • 1
    how is password setup in your database? Commented Feb 14, 2012 at 22:02
  • 1
    You shouldn't be using mysql_real_escape_string until right before the data is sent to the database. Specifically, sha1(mysql_real_escape_string($_POST['password'])); should be mysql_real_escape_string(sha1($_POST['password']));. We also can't see how the stored password is hashed, so we can't really help you. Try selecting the record and var_dumping your password. Compare this with the value being posted to the server. These are basic debugging steps you should learn to follow. Commented Feb 14, 2012 at 22:03
  • 1
    Did you try $password = sha1($_POST['password']); ? No need for mysql_real_escape_string here. Commented Feb 14, 2012 at 22:03
  • 1
    When you created the hash in the first place (to insert into the DB) did you also run the text through mysql_real_escape_string? If not, and your password contains special characters it could get mangled by mysql_real_escape_string. You need to do it the same way both times. Commented Feb 14, 2012 at 22:04
  • 1
    Compare the hash in the exact same way it's being inserted into the database in the first place. Commented Feb 14, 2012 at 22:04

4 Answers 4

Reset to default
4

This will not work, if your password contains any ' or other escapeable characters.

$password = sha1(mysql_real_escape_string($_POST['password']));

You should hash first, then escape:

$password = mysql_real_escape_string(sha1($_POST['password']));

And as a SHA1 only contains [a-f0-9], you can as well skip the escpaing

$password = sha1($_POST['password']);
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I agree this is the best answer. I noticed he was hashing after escaping.
I forgot to mention it, but I've already tried this and it isn't fixing my problem. Thanks though.
1

If it works when you don't hash the password, it sounds like your passwords are stored in the database as plaintext - that would be where I would check.

The other thing that might be happening is mysql_real_escape string should be used on the other side of the sha1 so it doesn't interfere with the exact input.

So it should be: mysql_real_escape_string(sha1($_POST['password'])); That might change things a bit.

Note: Although sha1 doesn't currently have any known security issues so it should be safe to put directly into the database without the mysql escape, somebody once told me to always make sure everything that goes into the database should be cast or escaped just in case a security vulnerability is found in something like sha1 or md5.

Improve this answer

3 Comments

That is what I thought might be the problem, however I'm not sure how to change that.
i believe they mean it works when they don't hash the password in both places. (meaning plaintext in db and plaintext lookup)
Sorry, I missed that you had copied a sha1 and put it in the database. I would try echo $password; after it's been through the sha1, then grab the result and insert that into the database and see if it works.
1

It seems your passwords in the database are not hashed, you need to change that and your sign-up form so that all use the same hash method.

You can change all passwords in the database using MySQLs SHA1() function.

Improve this answer

Comments

0

The escaped password is not the same hash as the entered password. The has will not contain any special characters.

abc' sha1 != escaped abc\' sha1

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.