-3

I am making a registration page and I used sha1() to encrypt my passwords upon registration. I check my tables and the passwords are encrypted but when I try logging in, the password is considered invalid. I was wondering if someone could check the login code for it? I am aware that sha1() is unsuitable for password encryption but I haven't learnt better encryption methods yet and this is considered enough for our assignment.

Registration code:

<?php
if (!empty($_POST) && !empty($_POST['username']) && !empty($_POST['password']) && !empty($_POST['email'])) { 

  $username = strip_tags($_POST['username']);
  $password = strip_tags($_POST['password']);
  $email = strip_tags($_POST['email']);
  $username = mysqli_real_escape_string($db, $username);
  $password = mysqli_real_escape_string($db, $password);
  $email = mysqli_real_escape_string($db, $email);
  $passwordhash = sha1($_POST["password"]);

  $query = "SELECT COUNT(*) AS count FROM login_details WHERE Username = '".$username."'";
  $result = $db->query($query);
  $data = $result->fetch_assoc();

  if ($data['count'] > 0) {

    echo "<p>Username taken!</p>";

  } else {

    $query = "INSERT INTO login_details (Username, Password, Email) VALUES ('".$username."','".$passwordhash."','".$email."')"; 
    $result = $db->query($query);

    $query = "INSERT INTO authors (Name) VALUES ('".$username."')";
    $result = $db->query($query);

    $query = "INSERT INTO `login_profile` (`user_id`, `author_id`) SELECT `login_details`.`id`, `authors`.`id` FROM `login_details`, `authors` WHERE `login_details`.`Username` = '".$username."' AND `authors`.`Name` = '".$username."'";

    $result = $db->query($query);

    if ($result) {
      echo "<p>User registered!</p>";
    } else {
        echo "SQL Error: " . $db->error;
    }
  }
}

?>

Thank you!

geggleto
  • 2,541
  • 1
  • 13
  • 18
Raru
  • 9
  • 3
  • There's nothing in your code above showing you trying to authenticate a user. – Augwa Apr 24 '15 at 17:06
  • 3
    You should use password_hash for encrypting passwords. Will likely increase your mark as it is the current standard. Check to make sure your environment supports it. – geggleto Apr 24 '15 at 17:11
  • you must use the same sha1($_POST["password"]); on your login code. Btw you should post it as @Augwa mentioned. – Thiago C. S Ventura Apr 24 '15 at 17:13
  • It worked, thanks guys! – Raru Apr 24 '15 at 17:24
  • Sha1 is not the best choice here. it's no longer considered a good pracpractice to use sha1 for passwords. You shouod use bcrypt instead, and be sure to use a random salt per password (changing the salt when the passopassword changes) – atk Apr 24 '15 at 18:22
  • To expand on @LuckyBurger See http://php.net/manual/en/ref.password.php BY FAR easier and more secure to implment than SHA1 **(Requires PHP >= 5.5)** – Will B. Apr 24 '15 at 18:23
  • `mysqli_real_escape_string` does **not** prevent injection and `strip_tags` is equally pointless - learn how to use parameterised queries. – The Blue Dog Apr 24 '15 at 18:40

1 Answers1

0

This should be a comment, but its a bit long....

There are some problems here.

Why are you escaping the password before hashing it? It won't affect the outcome as long as you do the same thing when you try to validate the password.

You should be using a salt for the hash, ideally a random value. There are already several comments suggesting that sha1 is "not good enough" but in the absence of a salt there is little difference between md5, sha1, sha256, sha3-512...

And why check if the user exists before attempting to insert? If you have configured your table correctly, it will throw a duplicate key error if you try to create a username which already exists.

Storing the sane data in 2 different places and maintains a mapping in a third is just silly.

As to why the code you haven't shown us is not working....afraid my crystal ball is on the blink.

symcbean
  • 45,607
  • 5
  • 49
  • 83