My ID and password won't login

Security and PHP
#1

Hi.

I’m implementing a student number and password login system for a project management system using PHP and SQL.

I have the encryption (sha1) working in a registration fine but when I try login with the ID and password it won’t login even though the creds are correct…

here’s the code

if (isset($_POST['submit'])) { // Form has been submitted.
		$errors = array();

		// perform validations on the form data
		$required_fields = array('id', 'password');
		$errors = array_merge($errors, check_required_fields($required_fields, $_POST));

		$fields_with_lengths = array('id' => 20, 'password' => 50);
		$errors = array_merge($errors, check_max_field_lengths($fields_with_lengths, $_POST));

		$stu_num = trim(mysql_prep($_POST['id']));
		$password = trim(mysql_prep($_POST['password']));
		$hashed_password = sha1($password);
		
		if ( empty($errors) ) {
			// Check database to see if ID and the hashed password exist there.
			$query = "SELECT *";
			$query .= "FROM users ";
			$query .= "WHERE id = '{$stu_num}' ";
			$query .= "AND hashed_password = '{$hashed_password}' ";
			$query .= "LIMIT 1";
			$result_set = mysql_query($query);
			confirm_query($result_set);
			if (mysql_num_rows($result_set) == 1) {
				// ID/password authenticated
				// and only 1 match
				$found_user = mysql_fetch_array($result_set);
				redirect_to("student_content.php");
			} else {
				// ID/password combo was not found in the database
				$message = "ID/password combination incorrect.<br />
					Please make sure your caps lock key is off and try again.";
			}
		} else {
			if (count($errors) == 1) {
				$message = "There was 1 error in the form.";
			} else {
				$message = "There were " . count($errors) . " errors in the form.";
			}
		}

The ID and password are stored in a users table in a DB.

Any help is greatly appreciated.

#2

SHA1 isn’t encryption, it’s a hash routine. It also is too fast to be recommended for use in login systems. Please consider changing to to Bcrypt or pbkdf2.

[hr]

The mysql_* functions are deprecated and will be removed from PHP in a later version. You should use Mysqli or PDO instead.

[hr]

In Mysqli or PDO you no longer need to “prep” or escape variables that you’re using in sql queries. You are instead doing something called parameterized queries. I have a PDO tutorial here which gives a quick introduction for this stuff.

Basically this means that instead of

"SELECT * FROM users WHERE id = " . mysql_real_escape_string($userId)

You do

"SELECT * FROM users WHERE id = ?"

[hr]

This looks like a mess:
[php]$query = “SELECT *”;
$query .= "FROM users ";
$query .= "WHERE id = ‘{$stu_num}’ ";
$query .= "AND hashed_password = ‘{$hashed_password}’ ";
$query .= “LIMIT 1”;[/php]

You could write it like this instead:
[php]$query = “SELECT * FROM users
WHERE id = ?
AND hashed_password = ?
LIMIT 1”;[/php]

[hr]

For the task at hand, check if $hashed_password in line 13 is the same hash as you have stored in your database.

#3

Got it sorted man. I was using a different type of encryption in the registration than the login. Use sha1 in both and it works perfect…

Sponsor our Newsletter | Privacy Policy | Terms of Service