0

Hello, i just coded for login script now i want to add "sha1" to my code due to security reason but it's showing an invalid login error i don't know the reason but when i use this withouht "sha1" it's working fine but i want to secure password into database please hwlp what's wrong i'm doing..

here is my code for login.php:

<?php
include("config.php");
session_start();
if($_SERVER["REQUEST_METHOD"] == "POST")
{

// username and password sent from Form
$myusername=addslashes($_POST['username']);
$mypassword=addslashes($_POST['password']);

$sql="SELECT * FROM admin WHERE username='$myusername' AND passcode='.sha1[$mypassword]' ";
$result=mysql_query($sql);
$row=mysql_fetch_array($result);
$active=$row['active'];
$count=mysql_num_rows($result);


// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1)
{
$_SESSION["myusername"];
$_SESSION['login_user']=$myusername;

header("location: welcome.php");
}
else
{
echo "Your Login Name or Password is invalid";
}
}
?> <form action="" method="post"> <label>UserName :</label> <input type="text" name="username"/><br /> <label>Password :</label> <input type="password" name="password"/><br/> <input type="submit" value=" Submit "/><br /> </form>

And here is my code for insert.php:

<?php
$con=mysqli_connect("localhost","root","Bhawanku","members");
// Check connection
if (mysqli_connect_errno())
{
    echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$hash_key=sha1($_POST['password']);
$sql="INSERT INTO admin
VALUES
('', '$_POST[username]','$hash_key')";

if (!mysqli_query($con,$sql))
{
    die('Error: ' . mysqli_error($con));
}
echo "1 record added";

mysqli_close($con);
?> 
3
Contributors
2
Replies
11
Views
3 Years
Discussion Span
Last Post by Bob Hensley
0

Line 11 looks weird with the SHA1 function.

$sql="SELECT * FROM admin WHERE username='$myusername' AND passcode='.sha1[$mypassword]' ";

//should be

$sql="SELECT * FROM admin WHERE username='".mysql_real_escape_string($myusername)."' AND passcode='".sha1(mysql_real_escape_string($mypassword))."' ";

Edited by Szabi Zsoldos: mysql_real_escape_string

0

I'm confused on why you're using MySQLi in your insertion script, yet the original and long-since dropped, but now officially deprecated, MySQL extension. Using the original MySQL extension is incredibly inappropriate these days. You have some MySQLi usage in your project; standardize on it and take advantage of parameterized statements

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.