That was me, I believe.
You've got the general idea. I'm not certain if all three scripts shown in that post are to be put together into one script or not; you want to
read that thread again, and at the top there is a link to a
demo page where you can download a
sha256.zip file with the appropriate script in it.
Make sure you wrap all string data headed towards the database in quotes, e.g.
Code: Select all
mysql_query("INSERT ....VALUES(...,'$pass',...);
I'm not sure if this was just a quick example or if you expect this to work:
Code: Select all
$pass=$_POST['password']
$pass=SHA256::hash($pass,hex)
$realpass = mysql_query("SELECT pass FROM database where username=$_POST['username]");
if $pass==$realpass{
//show user panel
}
You've got a problem with that script, aside from the missing semicolons and forgetting to wrap that data in quotes as well - mysql_query() will not retrieve the data for you, it only performs the query and returns a MySQL Result resource if successful. You have to then use one of the functions meant to fetch data based on that resource, in this case I'd use mysql_result().
You also want to make sure you validate and escape the username to avoid SQL injection or other problems. At the very least use mysql_real_escape_string() on any data headed towards the database.
Typically you'd pass the password value along with the username to validate a user, e.g.
Code: Select all
if ( !empty($_POST['username']) && !empty($_POST['password']) ) {
// further validation here, escape data using mysql_real_escape_string(), etc
// you wind up with two variables, $cleanUsername and $cleanPassword
// the SQL statement
$sql= "SELECT ID FROM userTable WHERE username= '$cleanUsername' AND password= '$cleanPassword'";
// the query
$result= mysql_query($sql);
// check the number of records returned, we must have exactly 1 to match the user
if ( mysql_num_rows($result) == 1 ) {
// log the user in, redirect, etc
} else {
// there were either 0 records, no match or more than 1 record, bad bad bad
// show an error message, redirect, etc
}
}