Page 1 of 1

Password Encryption problem

Posted: Wed Feb 01, 2012 2:45 pm
by surajrasaq
Hi, please can some1 help me with this? i encrypt every password going in to the database from users registering into my site using sha1(), but whenever a user try to login its given password error even though i try to encrypt the password again from the login form. below is my login code

Code: Select all

<?php require_once('Connections/cn_matrix.php'); ?>
<?php
session_start();
if (isset($_POST['password'])) { $_POST['password'] = sha1($_POST['password']); }
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  if (PHP_VERSION < 6) {
    $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
  }

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
}
$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
  $_SESSION['PrevUrl'] = $_GET['accesscheck'];
}

if (isset($_POST['username'])) {
  $loginUsername=$_POST['username'];
  $password= sha1($_POST['password']);
  $MM_fldUserAuthorization = "Adminprv";
  $MM_redirectLoginSuccess = "loginsucced.php";
  $MM_redirectLoginFailed = "loginfailed.php";
  $MM_redirecttoReferrer = false;
  mysql_select_db($database_cn_matrix, $cn_matrix);
  	
  $LoginRS__query=sprintf("SELECT username, password, Adminprv FROM user WHERE username=%s AND password=%s",
  GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text")); 
   
  $LoginRS = mysql_query($LoginRS__query, $cn_matrix) or die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {
    
    $loginStrGroup  = mysql_result($LoginRS,0,'Adminprv');
    
	if (PHP_VERSION >= 5.1) {session_regenerate_id(true);} else {session_regenerate_id();}
    //declare two session variables and assign them
    $_SESSION['MM_Username'] = $loginUsername;
    $_SESSION['MM_UserGroup'] = $loginStrGroup;	      

    if (isset($_SESSION['PrevUrl']) && false) {
      $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];	
    }
    header("Location: " . $MM_redirectLoginSuccess );
  }
  else {
    header("Location: ". $MM_redirectLoginFailed );
  }
}
?>

Re: Password Encryption problem

Posted: Wed Feb 01, 2012 3:02 pm
by Celauran
surajrasaq wrote:i encrypt every password going in to the database
No you don't. sha1() is a hashing function.

As for the logins not working, what is the field type where the password is stored in the DB?

Re: Password Encryption problem

Posted: Wed Feb 01, 2012 3:13 pm
by surajrasaq
Thank you for your time, pls if i don't use hashing function whats is the best way to encrypt password, the field type is varchar.

Re: Password Encryption problem

Posted: Wed Feb 01, 2012 3:17 pm
by Celauran
You want a hash for passwords, not encryption. I was just pointing out the difference.

Varchar is fine, but how long? SHA1 hashes are 40 characters.

Re: Password Encryption problem

Posted: Wed Feb 01, 2012 3:21 pm
by surajrasaq
ok thank you for pointing out the difference, its varchar(25)

Re: Password Encryption problem

Posted: Wed Feb 01, 2012 3:24 pm
by Celauran
There's the problem, then. Increase it to varchar(40), resave the (complete) hash, and you should be able to login.

Re: Password Encryption problem

Posted: Wed Feb 01, 2012 3:38 pm
by surajrasaq
:D Thank you very much....everything work perfectly..