In general, I wanted to hash the password under sha1, hashed everything is normally transferred to the database. Only I have a problem with reading. The registration is done normally, the hashed password is stored in the database, but how can I read them when authorizing? Here is a piece of registration code:

$username=$_POST['username']; $password=sha1($_POST['password']); $query=mysql_query("SELECT * FROM usertbl WHERE username='".$username."'"); $numrows=mysql_num_rows($query); if($numrows==0) { $sql="INSERT INTO usertbl (username, password) VALUES('$username', '$password')";

Here is a piece of the authorization code:

 $username=$_POST['username']; $password=sha1($_POST['password']); $query =mysql_query("SELECT * FROM usertbl WHERE username='".$username."' AND password='".$password."'"); $numrows=mysql_num_rows($query); if($numrows!=0) { while($row=mysql_fetch_assoc($query)) { $dbusername=$row['username']; $dbpassword=$row['password']; } if($username == $dbusername && $password == $dbpassword)
  • Well, change in SELECT AND password='".$password to AND password='".sha1($password) . Or does someone bother you to do this? - Alexey Shimansky
  • @ Alexey Shimansky does not work, writes the wrong password. - Ersultan
  • @BOPOH, does not work, encrypted POST (the one that is entered), so that when checking with the database (hash == hash) it worked, but no. - Ersultan
  • 1) then update the question code with the new changes 2) show in the question what you submit to the input during registration ( var_dump($_POST['password'], $password) ) and similarly at login. In addition, show what is really preserved in the database for this user. You may now have a typo in the password or login - BOPOH
  • @Ersultan Maybe when you entered the password the first time or the second there were some spaces and you did not cut them. And maybe the password is really wrong. Try to make a password to start 1 . And check on it. In general, try to SELECT echo sha1($password). " - " .$password; before SELECT echo sha1($password). " - " .$password; echo sha1($password). " - " .$password; See what really entered - Alexey Shimansky

1 answer 1

This is one of those questions that literally does not make sense to answer.
Since the literal answer will be obvious, but the background to the question is wrong.

  1. sha1 is on the verge of insecurity. For password hashing in PHP, use should be made of specially designed functions.
  2. Variables can never substitute a SQL query directly , but only pass through pseudo-variables - placeholders. Although this approach can be implemented on the basis of mysql functions, but first, for this you need to write a special library, and second, these functions have already been removed by their PHP. Therefore, the most common choice would be to use PDO functions.

Thus, the registration code will look something like this.

 $stmt = $pdo->prepare("SELECT 1 FROM usertbl WHERE username=?"); $stmt->execute([$_POST['username']]); if($stmt->fetchColumn()) { $hash = password_hash($_POST['password'], PASSWORD_DEFAULT); $sql = "INSERT INTO usertbl (username, password) VALUES(?,?)"; $pdo->prepare($sql)->execute([$_POST['username'], $hash]) }

and the verification code is:

 $stmt = $pdo->prepare("SELECT * FROM usertbl WHERE username=?"); $stmt->execute([$_POST['username']]); $user = $stmt->fetch(); if ($user && password_verify($_POST['password'], $user['password'])) {