if($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['login']) == 'Login'){

        $email = test_input($_POST['lemail']);
        $password = test_input($_POST['lpassword']);
        $passw = sha1($password);

        echo sha1($passw);

        $sql = mysqli_query($con,"select admin_id,admin_email,admin_password from admin
        where admin_email = '".$email."' and admin_password = '".$passw."'");
        $row = mysqli_fetch_array($sql);
        if(mysqli_num_rows($sql) == 1){
        $_SESSION['admin_id'] = $row['admin_id'];
        $_SESSION['admin_email'] = $row['admin_email'];


            echo '<center><span class="displayerror">Invalid User Name and Password Combination</span></center>';



<!------------------------------------------///login code------------------------------------------------->

<h3 class="text-center" style="color:#666666;">
Admin Login

<form method="post" action="<?php echo $_SERVER["PHP_SELF"];?>">
<label for="inputEmail3" >Email</label>
<input type="email"  id="inputEmail" name="lemail"/>
<div id="login_email_error" class="displayerror"></div>
<label for="inputPassword3" >Password</label>
<input type="password" id="inputPassword" name="lpassword"/>
<div id="login_password_error" class="displayerror"></div>
<label><input type="checkbox" /> Remember me</label>
<input type="submit" value="Login" name="login" id="submit_login">

Recommended Answers

All 3 Replies

There is no way to decrypt MD5/sha1. Well, there is, but no reasonable way to do it. That's kind of the point.

To check if someone is entering the correct password, you need to MD5/sha1
whatever the user entered, and see if it matches what you have in the database.

but if i need to send the password to user on forgot password how to do it?

Instead, either...

  1. Generate a new password, hash that, store the new password hash in place of the old one, and email the newly generated password to the user.

  2. Generate a new password, hash it, store it in a field for temporary passwords, and then when the user logs in with that password, prompt them to enter a permanent new password.

  3. Generate a nonce, store it in a field for the nonce, and email the user a link with that nonce which will give them access to a page to enter a new password.

The third option is probably the best all around, since it doesn't leave an actual password (temporary or not) in plain view to someone reading the user's email, and since it utilizes a nonce, once it has been used it can't be used again by a malicious user.

The reason hashing is used for passwords is specifically to prevent them from being stored in a form where a malicious user could determine the password simply by looking at the database.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, learning, and sharing knowledge.