Home/ Questions/Q 7518231
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-30T01:41:58+00:00

Notes: I’m still fairly new to php This login form seems to work perfectly

  • 0

Notes:

  • I’m still fairly new to php
  • This login form seems to work perfectly fine if I don’t hash the password.
  • I’ve tried md5, sha256 and now I’ve left it at sha1. None of these work.
  • I first used echo sha1("password"); to find out what the hash for my password would be, I then copied that hash and pasted it manually with phpMyAdmin. I’m not sure if this is what the issue is or not.

Anyways here is the code:

<?php
session_start();
require("config.php");

if(isset($_POST['submit'])) {

    $username = mysql_real_escape_string($_POST['username']);
    $password = sha1(mysql_real_escape_string($_POST['password']));

    $loginsql = "SELECT * FROM login WHERE username = '" . $username .
    "' AND password = '" . $password . "'";
    $loginresult = mysql_query($loginsql);
    $loginnumrows = mysql_num_rows($loginresult);

    if($loginnumrows == 1) {
        $loginrow = mysql_fetch_assoc($loginresult);
        session_register("USERNAME");
        session_register("USERID");

        $_SESSION['USERNAME'] = $loginrow['username'];
        $_SESSION['USERID'] = $loginrow['id'];

        header("Location: " . $config_basedir . "controlpanel.php");
    }
    else{
        echo "<p>Incorrect Login, please try again!</p>";
    }
}
else{

}
?>

I’m really not too sure where to go with this. I’m sure my code could be more efficient but as I mentioned in the notes, it does work when I don’t hash the password. Thank you for reading.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If it works when you don’t hash the password, it sounds like your passwords are stored in the database as plaintext – that would be where I would check.

    The other thing that might be happening is mysql_real_escape string should be used on the other side of the sha1 so it doesn’t interfere with the exact input.

    So it should be: mysql_real_escape_string(sha1($_POST['password']));
    That might change things a bit.

    Note: Although sha1 doesn’t currently have any known security issues so it should be safe to put directly into the database without the mysql escape, somebody once told me to always make sure everything that goes into the database should be cast or escaped just in case a security vulnerability is found in something like sha1 or md5.

    • 0