Member Avatar for klemme

Hi,

I am using sha1 for a registration form like this:

if($_POST['pass1']==$_POST['pass2']){
$password = sha1(mysqli_real_escape_string($connection, $_POST['pass1']));
}
// This inserts an encrypted row in the DB, and works fine

When i want to log in, well I cant login..This is the script:

$email = mysqli_real_escape_string($connection, $_POST['email']);
$password = sha1(mysqli_real_escape_string($connection, $_POST['password']));

$sql=("SELECT id, email, username FROM users WHERE email='$email' AND pass='$password' LIMIT 1");
$result=mysqli_query($connection, $sql);
$found_user = mysqli_fetch_array($result);
// Mysql_num_row tæller rækkerne
$count=mysqli_num_rows($result);
// HVIS $result matchede $email $password, table row must be 1 row

if($count==1){
// Register $email, $password and redirect to file "../index.php"
session_regenerate_id['id']; // IS THIS CORRECT?
$_SESSION['username'] = $found_user['username'];
$_SESSION['id'] = $found_user['id'];
header("location:../index.php");
exit();
	}
}

I thought i could tjeck the user input in the login form, and then sha1 the password, and check it against the registered sha1 password, that lies in the DB. But It doesn log me in.

If I remove the sha1, I can log in without any problem. So the problem lies in my way of comparing/retrieving the value from the login form, and make it "sha1-looking", and then test it.

What am I missing...?

Not working in login script:

// Beskyt imod mysql injection OG lav sha1 encryption på password
$email = mysqli_real_escape_string($connection, $_POST['email']);
$password = sha1(mysqli_real_escape_string($connection, $_POST['password']));

$sql=("SELECT id, email, username FROM users WHERE email='$email' AND pass='$password' LIMIT 1");
  • 4 Contributors
  • 6 Replies
  • 625 Views
  • 8 Hours Discussion Span
  • Latest Post Latest Post by migcosta

Recommended Answers

All 6 Replies

Member Avatar for pritaeas

What datatype is your password column in the db ? It could be too small to hold the encrypted password. Perhaps the data is truncated when you insert it.

Member Avatar for klemme

I think that you hit the nail spot on, thats rude!

I changed it to md5, with the exact samt syntax, and it was working.

Just checked the DB, and the column is set to: varchar32, so surely thats why..

Do you know the "big difference between md5 and sha1, other than its known to be more secure."

In some cases, is it an overkill to use sha1? Or is md5 simply just not really secure to use?

Edited by klemme because: n/a
Member Avatar for klemme

Sweet, ill take a look at the page later!

Cheers

Member Avatar for klemme

I can see on your site, as expected that the lengths differs between the encrypted data.

Would you suggest a specific one, or a few that would be "okay", for a site offering SEO, where its simply a backend where the admin can update the content of his site.

Is it too much with sha1, sha256?

I guess it can never be too much really, too secure.

Just an outside opinion is what im looking for.

What do you guys normally use for these kind of pages, where there is no trade going on, no credit card informations etc etc. just a page which outputs its services?

Member Avatar for migcosta

klemme...
a sha1 "returned value is a 40-character hexadecimal number" so varchar 40 for sha1 and md5 varchar 32 :)

For me md5 is safer but.. you never know.. :) so I always had a small identifier / garbage on the password to make the encryption a little bit "safer" :)

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.