Issues with using SHA1 password encryption in PHP/mysql

Question

I have a simple script for user login. I have the passwords encrypted as SHA1 in mySQL database table (using charset utf8_unicode_ci).

When I run "$q" in the database with values it returns result all right. But through the script even after entering correct credentials, I am not able to login. Also, it is working fine if I remove the encryption at both places (script and database). Same problem occurs if I use MD5 instead.

I am not sure what I am missing at. I tried to echo the SHA1 output and it comes out to be different than the encrypted password visible in the database. I have checked for any extra spaces in my input as well. Please help me understand what is wrong. Let me know if you need anything else. Thanks in advance!

connection.php holds the login credentials to the database and the below line:

$dbc = mysqli_connect($servername, $username, $password, $dbname) or die("Connection failed: " . mysqli_connect_error());

Below is the login page : "login.php"

<?php 

#Start the session:
session_start();
include('../setup/connection.php'); 

if($_POST) {
    $q = "select * from users where email = '$_POST[email]' and password = SHA1('$_POST[password]');";
    $r = mysqli_query($dbc, $q);

    if (mysqli_num_rows($r) == 1) {
        $_SESSION['username'] = $_POST['email'];
        header('Location: index.php');
    }
    else {$msg="Username/Password incorrect. Please try again!";}
}
?>

<!DOCTYPE html>
<html lang="en">
  <head>

    <meta charset="utf-8">
    <title>Admin Login</title>
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <?php include('config/css.php'); ?>
    <?php include('config/favicon.php'); ?>
    <?php include('config/js.php'); ?>
    <!--[if lt IE 9]>
    <script src="//cdnjs.cloudflare.com/ajax/libs/html5shiv/r29/html5.min.js"></script>
    <![endif]-->

  </head>

  <body>

    <!--NAVIGATION BAR-->
    <?php //include(D_TEMPLATE.'/navigation.php'); ?>
    <div class="container">


      <div class="col-lg-4 col-lg-offset-4">
        <div class="panel panel-info">
          <div class="panel-heading">
            <h1 class="lato fs20"><strong>Login</strong></h1>
          </div>
          <div class="panel-body">
            <?php echo $msg; ?>
            <form role="form" method="post" action="login.php">
              <div class="form-group">
                <label for="email">Email address</label>
                <input type="email" class="form-control" id="email" name="email" placeholder="Enter email">
              </div>
              <div class="form-group">
                <label for="password">Password</label>
                <input type="password" id="password" class="form-control" name="password">
              </div>

              <button type="submit" class="btn btn-default">Submit</button>
            </form>
          </div>
        </div>
      </div>
    </div>
  </body>

</html>

The answer to all your problems, are all [right here...](http://stackoverflow.com/a/29778421/). Drop all that code and use that. `sha1` and MD5 aren't what they used to be. After all, we are 2015 and not 1995. A lot of water has gone under the bridge in **30 years** ;-) Plus, you're open to some massive [**SQL injection**](http://stackoverflow.com/q/60174/). — Funk Forty Niner, May 23 '15 at 14:41
Check the length of your password field in database. If string length is greater than database field length then some portion of your string are trancated. Might be you have some issue there. — Dipak Dendage, May 23 '15 at 14:52
Gawd, I wouldn't waste my time with this, you're asking for trouble, really. However, what @DipakDendage said, check the length of that column. 9 times out 10, is what the problem may be. Use the link I've given you above, it's a lot safer. — Funk Forty Niner, May 23 '15 at 14:54
Thanks very much for that Fred. Was following a tutorial and ran into this issue. It was working fine earlier. I migrated the database. Since then this has been happening. Will use the libraries to secure the passwords as per your suggestion. And yeah, form validation and SQL injection vulnerabilities will be taken care of. Was banging my head with this issue unnecessarily. — Ayushman Chatterjee, May 23 '15 at 15:41
Already checked that Dipak. That is not an issue. Anyway, I think I should go for the newer hashing algorithms which are more secure. Will ask for assistance in case of any issues with that. Thank you for your response. Appreciate it! — Ayushman Chatterjee, May 23 '15 at 15:43

score 1 · Accepted Answer · answered May 23 '15 at 17:00

1

For the "$q" variable, you should use php sha1 function:

 $q = "select * from users where email = '$_POST[email]' and password = '" . sha1($_POST[password]) . "'";

But as Fred-ii said you really shoud (have to) protect your variables before. For example :

$_POST['email'] = mysqli_real_escape_string($_POST['email']);

It will protect your variable against SQL injection (https://php.net/manual/en/mysqli.real-escape-string.php)

answered May 23 '15 at 17:00

Anthony

2,014
2
19
29

SHA-1 should not be used at all (except as underlying function of `password_hash` and possibly `password_verify`) – Maarten Bodewes May 24 '15 at 11:12

Issues with using SHA1 password encryption in PHP/mysql

1 Answers1