开发者

User Authentication (Using sha1)

问答 作者:

I am creating a login form. I am learning how to use SHA-1 to encrypt passwords. I used SHA-1 to 开发者_JS百科encrypt the password that the user created during registration. In the database I inputted pretend username and password data, to have something to work with. I'm having problems getting my login form to work.

// Database Connection

$con = getConnection();

$sqlQuery = mysql_query("SELECT count(*) from Customers
                         WHERE Email = '$email' and Password = sha1('$passLogin')") 

// Executing query
$result = $con->mysql_result($sqlQuery, "0");

if ($result == 0) {
    echo "Can not login, try again.";
} else {
    echo "Login Good!";
}

I am learning how to use sha1 to encrypt passwords.

... use sha1 to hash passwords. Hashing is different from encryption. Encryption is reversible, hashing isn't. (or shouldn't be). Now, ...

  1. You have to make sure the passwords in the database are hashed.

  2. Usually you do the hashing on the PHP side.

  3. You should use salting to make rainbow table attacks unfeasible. Read Just Hashing is Far from Enough for Storing Password

That said, I would do the authentication part like this:

$hashedAndSalted = sha1($passLogin . $yourSalt);

$sqlQuery = mysql_query("SELECT Email FROM Customers WHERE Email = '$email' AND Password = '$hashedAndSalted'");

if (mysql_num_rows($sqlQuery) == 1) {
    echo 'Login successful';
} else  {
    echo 'Could not login';
}

Replace your query with this:

$sqlQuery = mysql_query("SELECT count(*) from Customers
                WHERE Email = '".$email."' and Password = '".sha1($passLogin)."'");

Remember to always concatenate strings and variables manually, don't rely on PHP to do it for you. Also, you forgot the semicolon ; after that line. Every line must be appended with a semicolon in PHP.

On a separate note if you have not sanitized your form inputs you are wide open for SQL injection.

If user enters the following for Email field:

' or '1'='1

They will be logged in :)

You should be using mysql_real_escape_string to escape $email and $passLogin or even better use prepared statements.

继续阅读:encryptionphpsql

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9