My ID and password won't login


I’m implementing a student number and password login system for a project management system using PHP and SQL.

I have the encryption (sha1) working in a registration fine but when I try login with the ID and password it won’t login even though the creds are correct…

here’s the code

if (isset($_POST['submit'])) { // Form has been submitted.
		$errors = array();

		// perform validations on the form data
		$required_fields = array('id', 'password');
		$errors = array_merge($errors, check_required_fields($required_fields, $_POST));

		$fields_with_lengths = array('id' => 20, 'password' => 50);
		$errors = array_merge($errors, check_max_field_lengths($fields_with_lengths, $_POST));

		$stu_num = trim(mysql_prep($_POST['id']));
		$password = trim(mysql_prep($_POST['password']));
		$hashed_password = sha1($password);
		if ( empty($errors) ) {
			// Check database to see if ID and the hashed password exist there.
			$query = "SELECT *";
			$query .= "FROM users ";
			$query .= "WHERE id = '{$stu_num}' ";
			$query .= "AND hashed_password = '{$hashed_password}' ";
			$query .= "LIMIT 1";
			$result_set = mysql_query($query);
			if (mysql_num_rows($result_set) == 1) {
				// ID/password authenticated
				// and only 1 match
				$found_user = mysql_fetch_array($result_set);
			} else {
				// ID/password combo was not found in the database
				$message = "ID/password combination incorrect.<br />
					Please make sure your caps lock key is off and try again.";
		} else {
			if (count($errors) == 1) {
				$message = "There was 1 error in the form.";
			} else {
				$message = "There were " . count($errors) . " errors in the form.";

The ID and password are stored in a users table in a DB.

Any help is greatly appreciated.

SHA1 isn’t encryption, it’s a hash routine. It also is too fast to be recommended for use in login systems. Please consider changing to to Bcrypt or pbkdf2.


The mysql_* functions are deprecated and will be removed from PHP in a later version. You should use Mysqli or PDO instead.


In Mysqli or PDO you no longer need to “prep” or escape variables that you’re using in sql queries. You are instead doing something called parameterized queries. I have a PDO tutorial here which gives a quick introduction for this stuff.

Basically this means that instead of

"SELECT * FROM users WHERE id = " . mysql_real_escape_string($userId)

You do

"SELECT * FROM users WHERE id = ?"


This looks like a mess:
[php]$query = “SELECT *”;
$query .= "FROM users ";
$query .= "WHERE id = ‘{$stu_num}’ ";
$query .= "AND hashed_password = ‘{$hashed_password}’ ";
$query .= “LIMIT 1”;[/php]

You could write it like this instead:
[php]$query = “SELECT * FROM users
WHERE id = ?
AND hashed_password = ?
LIMIT 1”;[/php]


For the task at hand, check if $hashed_password in line 13 is the same hash as you have stored in your database.

Got it sorted man. I was using a different type of encryption in the registration than the login. Use sha1 in both and it works perfect…

Sponsor our Newsletter | Privacy Policy | Terms of Service