-1

How would i go about adding a function that checks the db for the users sha1 password value?

  <?php
//processlogin.php

session_start();
require('config.php');


$username = $_POST['username'];
$password = $_POST['password'];


$username = stripslashes($username);
$password = stripslashes($password);
$hashedpassword = sha1($password);
$sql = "select * from users where username = '$username' and password = '$hashedpassword' ";
$result = mysql_query($sql) or die ( mysql_error() );
$count = mysql_num_rows($result);

if ($count == 1) {
     $_SESSION['loggedIn'] = "true";
     $_SESSION['username'] = $row['username'];
      $_SESSION['email'] = $row['email'];
     header("Location: welcome.php");
} else {
     $_SESSION['loggedIn'] = "false";
     header("Location: error.php");
}

?>

I am pretty new to php, so sorry if this is simple answer :)

Terminator
  • 11
  • 1
  • Don't use SHA1 - it's easy to brute force, especially with modern hardware. Use stronger algorithms such as bcrypt. See: [How should I ethically approach user password storage for later plaintext retrieval?](http://stackoverflow.com/questions/2283937/) – Amal Murali Jan 26 '14 at 14:12
  • have you tried something, googled it?? – Gert B. Jan 26 '14 at 14:12
  • I've updated my code, I don't see what Im doing wrong, the if($count==1) condition is failing – Terminator Jan 26 '14 at 15:34

1 Answers1

0

In PHP there is a sha1() function already. So it's as simple as calling this function:
if (sha1($userInput) == $yourStoredPassword) // The password is correct
But remember that sha1 without any salt is not a very secure hashing solution.

Andre Polykanine
  • 3,085
  • 15
  • 28