User Authentication (Using sha1)

Question

I am creating a login form. I am learning how to use SHA-1 to encrypt passwords. I used SHA-1 to encrypt the password that the user created during registration. In the database I inputted pretend username and password data, to have something to work with. I'm having problems getting my login form to work.

// Database Connection

$con = getConnection();

$sqlQuery = mysql_query("SELECT count(*) from Customers
                         WHERE Email = '$email' and Password = sha1('$passLogin')") 

// Executing query
$result = $con->mysql_result($sqlQuery, "0");

if ($result == 0) {
    echo "Can not login, try again.";
} else {
    echo "Login Good!";
}

Answer 1

On a separate note if you have not sanitized your form inputs you are wide open for SQL injection.

If user enters the following for Email field:

' or '1'='1

They will be logged in :)

You should be using mysql_real_escape_string to escape $email and $passLogin or even better use prepared statements.

Answer 2

I am learning how to use sha1 to encrypt passwords.

... use sha1 to hash passwords. Hashing is different from encryption. Encryption is reversible, hashing isn't. (or shouldn't be). Now, ...

1. You have to make sure the passwords in the database are hashed.

2. Usually you do the hashing on the PHP side.

3. You should use salting to make rainbow table attacks unfeasible. Read Just Hashing is Far from Enough for Storing Password

That said, I would do the authentication part like this:

$hashedAndSalted = sha1($passLogin . $yourSalt);

$sqlQuery = mysql_query("SELECT Email FROM Customers WHERE Email = '$email' AND Password = '$hashedAndSalted'");

if (mysql_num_rows($sqlQuery) == 1) {
    echo 'Login successful';
} else  {
    echo 'Could not login';
}

Answer 3

Replace your query with this:

$sqlQuery = mysql_query("SELECT count(*) from Customers
                WHERE Email = '".$email."' and Password = '".sha1($passLogin)."'");

Remember to always concatenate strings and variables manually, don't rely on PHP to do it for you. Also, you forgot the semicolon ; after that line. Every line must be appended with a semicolon in PHP.