0

How would i go about comparing sha1? What i thought was correct is wrong. Any help on this would be sweet, thanks :) I don't understand why this isnt working.

<?php
//processlogin.php

session_start();
require('config.php');


$username = $_POST['username'];
$password = $_POST['password'];


$username = stripslashes($username);
$password = stripslashes($password);
$hashedpassword = sha1($password);
$sql = "select * from users where username = '$username' and password = '$hashedpassword' ";
$result = mysql_query($sql) or die ( mysql_error() );
$count = mysql_num_rows($result);
$row = mysql_fetch_row($result);
if ($count == 1) {
     $_SESSION['loggedIn'] = "true";
     $_SESSION['username'] = $row['username'];
      $_SESSION['email'] = $row['email'];
     header("Location: welcome.php");
} else {
     $_SESSION['loggedIn'] = "false";
     header("Location: error.php");
}

?>
Terminator
  • 11
  • 1
  • 1
    The `$row` is not at all defined anywhere. You need to grab the resultset and push it to the `$row` – Shankar Narayana Damodaran Jan 26 '14 at 15:53
  • Marginal issue, SHA1 for password hashes is becoming rather weak (particurarly if not salted). Not broken as MD5, but still weak. Use PBKDF2 instead (or SHA2/SHA3 if not available). Also, `stripslashes` is not enough for sanitizing the input data, you are vulnerable to SQL injections. Use PDO or mysqli, not `mysql_*` functions, which are deprecated. – Stefano Sanfilippo Jan 26 '14 at 15:59
  • // added at 11:09am -1/26: $row = mysql_fetch_row($result); – Terminator Jan 26 '14 at 16:09
  • [**Please, don't use `mysql_*` functions in new code**](http://bit.ly/phpmsql). They are no longer maintained [and are officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). See the [**pink box**](http://j.mp/Te9zIL)? Learn about [*prepared statements*](http://j.mp/T9hLWi) instead, and use [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) - [this article](http://j.mp/QEx8IB) will help you decide which. If you choose PDO, [here is a good tutorial](http://j.mp/PoWehJ). – h2ooooooo Jan 26 '14 at 16:13

1 Answers1

0

You save the password hash in the db, and then compare it to this. Or you load the pass for the username you have, and hash it and then compare it to the inputted one!

Roberto Anić Banić
  • 1,411
  • 10
  • 21