Is this code correct

system · September 20, 2014, 5:27pm

Hello,

I am wanting to encrypt my password that is submitted in the login form with sha512 and salt, is this correct as at the moment when i enter the incorrect information and submit it just loads a blank page which I’m assuming there is something wrong with my code.

[php]

<?php session_start(); // Starting Session $error=''; // Variable To Store Error Message if (isset($_POST['submit'])) { if (empty($_POST['email']) || empty($_POST['password'])) { $error = "Email or Password is invalid"; } else { // Define $email and $password $username=$_POST['email']; $password=$_POST['password']; $salt = "/GTyod58&aw|+fjv93%~\RFewo23fhe^"; $encryptpass=sha512($salt.$password); // To protect MySQL injection for Security purpose $email = stripslashes($email); $password = stripslashes($password); $email = mysql_real_escape_string($email); $password = mysql_real_escape_string($password); // Establishing Connection with Server by passing server_name, user_id and password as a parameter $connection = mysql_connect("localhost", "user", "pass"); // Selecting Database $db = mysql_select_db("database", $connection); // SQL query to fetch information of registerd users and finds user match. $query = mysql_query("select * from adminlogin where password='$encryptpass' AND email='$email'", $connection); $rows = mysql_num_rows($query); if ($rows == 1) { $_SESSION['email']=$email; // Initializing Session header("location: test.com/profile.php"); // Redirecting To Other Page } else { $error = "Email or Password is invalid"; } mysql_close($connection); // Closing Connection } } ?>

[/php]

Strider64 · September 20, 2014, 6:49pm

Well, I’m not going to sugar coat my reply, so I’ll be telling the truth.

You really should be using mysqli or PDO, since mysql is obsolete. (I recommend PDO) You really shouldn’t be using you own password script, if you have PHP 5.5 use http://php.net/manual/en/function.password-hash.php
if PHP 5.x to 5.4 -> https://github.com/ircmaxell/password_compat/blob/master/lib/password.php

I don’t even use my own password script, I leave it to the experts for they have to test and re-test their password encryption script over and over again before putting it out to the public. Even then you hear stories of passwords being compromise, Home Depot is in the news for personal credit card information being stolen. Besides it’s funnier to learn the other aspects of PHP such as Object-Oriented Programming, variable variables, referencing, etc… ;D

You can either take my advice or not, but find a good tutorial that uses either mysqli or PDO…It shouldn’t be too difficult to find one.

astonecipher · September 21, 2014, 1:26am

The short answer is no.

Explained answer,

You are redirected to a blank with incorrect information because of this:

[php] $error = “Email or Password is invalid”;[/php]

You are not printing anything, just assigning the value. You actually have several issues and I would advise to look for a more updated tutorial as well. As mentioned, mysql_ functions should not be used. I too recommend PDO, it is the ONLY thing I use.

You should also be using prepared statements. Knowing how you create your SQL, I could delete your database with a single line. There are other preventative measures, but prepared statements come first.

If you want the email out of the database, ask for it and only it, instead of everything. Meaning don’t use this *

Lastly, but only because you are using the mysql function (also applies to mysqli_ ), close the connection

[php] mysql_close($connection);[/php]

right after you get what you need from the connection. If you redirect you leave the connection hanging. This can cause issues later.

ethansamuel17 · October 7, 2014, 1:15pm

I had try to run your code but it shows some error.

Redscouse · October 7, 2014, 5:17pm

I’m going to chime in here…

Firstly, let me reiterate what the guys before me have already said, ditch mysql and use either PDO or MySqli.

Now, the reason for my two-pence is just purely to balance the argument.
I use mysqli (and only mysqli). The reason for this is when the change came back when noah was on his ark I found it easier to pickup mysqli as it was very similar to mysql. I’ve since used PDO but always seem to revert back to mysqli as i’m more comfortable with that.

Try both and make a choice upon what you prefer as neither is predominantly better than the other. (There was an argument for mysqli having more goodies in the toolbox than PDO but i’m not sure how relevant that is anymore)

Just saying…
Red