SHA1 password encryption returns an undefined index

Question

I am quite new to php and mysqli and I hope someone could help me. The following code inserts firstname, lastname, email and registration date successfully but I get an unidentified index warning with the password and nothing is inserted in mysql. I know SHA1 is not the best encryption to use and I know this code is vulnerable, I still have a lot of work to do on it. I just need someone suggest where I am going wrong and what I need to do to correct this. Many thanks in advance.

$page_title = 'Register';
$q = 'query';


if (isset($_POST['submitted'])){

$errors = array();//initialise error array

//check for first name
if (empty($_POST['first_name'])) {
    $errors[] = 'you forgot to enter your first name';
} else {
    $fn=trim($_POST['first_name']);
}

//check for last name
if (empty($_POST['last_name'])) {
    $errors[] = 'you forgot to enter your last name';
} else {
    $fn=trim($_POST['last_name']);
}

//check for email
if (empty($_POST['email'])) {
    $errors[] = 'you forgot to enter your email';
} else {
    $fn=trim($_POST['email']);
}

//check passwords against each other
if (!empty($_POST['pass1'])){

    if(!empty($_POST['pass1'])) {
        if ($_POST['pass1'] != $_POST['pass2']) {
            $errors[] = 'Passwords dont match';
            } else {
                $p = trim($_POST['pass1']);
            }
        } else {
            $errors[] = 'You forgot to enter your password.';
        }

    if (empty($errors)) {

        require_once ('mysqli_connect.php');

        //make query
        $q = "INSERT INTO users (first_name,last_name,email,pass,registration_date) VALUES 
        ('".$_POST["first_name"]."','".$_POST["last_name"]."','".$_POST["email"]."','".$_POST["SHA1('pass')"]."', NOW())";

        $r = @mysqli_query ($dbc,$q); //run query

        if($r) {
            echo 'Registration complete';
        } else {
            echo 'System error, could not register you';

            //debug msg
            echo '<p>'.mysqli_error($dbc).
            '<br/><br/>Query: '.$q.
            '</p>';
        }

        mysqli_close($dbc);

    }else { //report errors
    echo 'The following errors occurred: <br/>';
    foreach ($errors as $msg) {
    echo "- $msg<br/>/n";
    }
    }
}
}
?>
<html>
<head></head>
<h1>Register</h1>
<body>
<form action="register.php" method="post">
<p>First Name: <input type="text" name="first_name" size="15" maxlength="20"           value="<?php if(isset($_POST['first_name'])) echo $_POST['first_name']; ?>"/></p>
<p>Last Name: <input type="text" name="last_name" size="15" maxlength="20"  value="<?php if(isset($_POST['last_name'])) echo $_POST['last_name']; ?>"/></p>
<p>Email Address: <input type="text" name="email" size="15" maxlength="20"   value="<?php if(isset($_POST['email'])) echo $_POST['email']; ?>"/></p>
<p>Password: <input type="password" name="pass1" size="10" maxlength="20"/></p>
<p>Confirm Password: <input type="password" name="pass2" size="10" maxlength="20"/></p>
<p><input type="submit" name="submit" value="register"/></p>
<input type="hidden" name="submitted" value="TRUE"/>
</form>
</body>
</html>

`($_POST['pass1'] != $_POST['pass2'])` check that `pass2` is also set. — Cheery, Nov 26 '14 at 19:45
`$_POST["SHA1('pass')"]` that is wrong and not just for a single reason. You're also facing a massive SQL injection. — Funk Forty Niner, Nov 26 '14 at 19:49
You are using [an unsuitable hashing algorithm](http://php.net/manual/en/faq.passwords.php) and need to [take better care](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) of your users' passwords. — Quentin, Nov 26 '14 at 19:49
**Danger**: You are **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that you need to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. — Quentin, Nov 26 '14 at 19:50
I suggest you take a look at http://daveismyname.com/login-and-registration-system-with-php-bp - It uses PDO with prepared statements and PHP 5.5's [`password_hash()`](http://www.php.net/manual/en/function.password-hash.php) function. — Funk Forty Niner, Nov 26 '14 at 19:51
Hello, thank you for your feedback so far, I am aware that its vunerable to sql injections, I am going to look at this once I get this bit working first. The line ($_POST['pass1'] != $_POST['pass2']) does work correctly. the line $_POST["SHA1('pass')"] is the problem. The afforementioned line previously said $q = "INSERT INTO users (first_name,last_name,email,pass,registration_date) VALUES ('first_name','last_name','email', SHA1('pass'), NOW())"; which did has the password but the password was always pass — ZMB, Nov 26 '14 at 19:57
_“the line `$_POST["SHA1('pass')"]` is the problem”_ – of course it is, because your password field is not named `SHA1('pass')`, so why are you trying to access a POST parameter of that name then …? — CBroe, Nov 26 '14 at 20:30

score 0 · Accepted Answer · answered Nov 26 '14 at 20:00

0

In your query variable $q this value is wrong: $_POST["SHA1('pass')"] change to your password variable like this:

//make query
$q = "INSERT INTO users (first_name,last_name,email,pass,registration_date) VALUES 
('".$_POST["first_name"]."','".$_POST["last_name"]."','".$_POST["email"]."','". sha1($p) ."', NOW())";

Consider yourself making a better approach when storing passwords take a look at function password_hash() for better security.

answered Nov 26 '14 at 20:00

Adriano Rosa

8,303
1
25
25

Your welcome! As you said you're new to PHP this will work for now, while storing hash password in sha or md5 works fine, when you dig deeper into PHP spend a little time in how to store passwords using built-in function [password_hash()](http://php.net/manual/en/function.password-hash.php) as of PHP5 or other methods of password encryption. – Adriano Rosa Nov 26 '14 at 20:14

SHA1 password encryption returns an undefined index

1 Answers1