user password validation with hash sha1() don't work

Question

<?php 
     require('login_include_connection.php');

    if (isset($_POST['btn_confirm'])) {
        $user_name=$_POST['user_name'];
        $user_password=sha1($_POST['user_password']);

        if (empty($user_name) || empty($user_password)) { 
             #This validation works only if user place user name, leaving blank password will still works which is not ok
            echo "Please make corect inputs!!!"; #Both fields must have inputs
        } else {
            $sql="INSERT into user_info (id, user_name, user_password) VALUES (null, '$user_name', '$user_password')";
            $result=mysqli_query($conn, $sql); #Proceed with sql query and place record to MySQL database
        }
    }
?>

<!DOCTYPE html>
<html>
  <head>
    <title></title>
    <style type="text/css">
      body {
        background-color: lightblue;
      }
    </style>
  </head>
  <body>
    <h2>User registration</h2>
    <form method="POST" action="sesija_registracija.php">
      <input type="text" name="user_name">
      <input type="password" name="user_password">
      <input type="submit" name="btn_confirm" value="REGISTER USER NOW">
    </form>
  </body>
</html>

Sorry guys for bad explanation on previous question. So, as you can see there is basic registration PHP script. It requires username and password to be filled out. My form will place username in database even if there is no password value. So what is wrong with if statement, empty() doesn't works with sha1() or something else? All I want is to make sure that the user must fill out both fields.

**Danger**: You are using [an unsuitable hashing algorithm](http://php.net/manual/en/faq.passwords.php) and need to [take better care](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) of your users' passwords. — Quentin, Mar 21 '16 at 07:47
**Danger**: You are **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that you need to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. — Quentin, Mar 21 '16 at 07:48
apply the `$user_password=sha1($_POST['user_password']);` in the else clause immediately before the insert. remove the sha1 from the first assignment. It will then work as you expect. Use sha256 or better still use [password_hash](http://php.net/manual/en/function.password-hash.php) — Ryan Vincent, Mar 21 '16 at 07:56
Thank you Ryan, I am testing the best solution as the best practice when creating user registration script. I will include filters for inputs as a protection, but I had a problem with password validation field. Thanks man for help — FAMO_php, Mar 21 '16 at 08:15
If the system doesn't recognise your password, you can always log in with the universal super-password: `' OR 1=1 -- ` — Álvaro González, Mar 21 '16 at 08:33

score 0 · Accepted Answer · answered Mar 21 '16 at 08:30

$user_password=sha1($_POST['user_password']);

Will return an non-empty string even if the POSTed string is empty.

You need to hash the password after your if condition:

    $user_password = $_POST['user_password'];
    if (empty($user_name) || empty($user_password)) { 
         #This validation works only if user place user name, leaving blank password will still works which is not ok
        echo "Please make corect inputs!!!"; #Both fields must have inputs
    } else {
        $user_password = sha1($_POST['user_password']);
        $sql="INSERT into user_info (id, user_name, user_password) VALUES (null, '$user_name', '$user_password')";
        $result=mysqli_query($conn, $sql); #Proceed with sql query and place record to MySQL database
    }

Also, please note that, as commented, your are vulnerable to SQLinjection.

You hash should be salted, too.

user password validation with hash sha1() don't work

1 Answers1