Security issue,php/mysql

Question

In my CMS i don't have a registration system. Just a login one,meaning that the password is predefined inside the table. Ie I put my username and my set up password and I can successfully login. However that password is visible inside my table. How can I hash it? When I do that using sha1,I can't login. I have to login with the exact password which is stored in the table.

Here is my code.

<?php
 session_start();
 ?>
 <!DOCTYPE HTML>
 <html>
 <head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
   <title>Admin Area</title>
<link rel="stylesheet" href="login-css.css" media="all"/>
</head>

 <body>
 <div class="login">
 <h1>Admin Login</h1>
   <form method="post">
    <input type="text" name="user_name" placeholder="Username"   
    required="required" />
    <input type="password" name="user_pass" placeholder="Password" 
    required="required" />
    <button type="submit" class="btn btn-primary btn-block btn-large" 
     name="login">Admin Login</button>
</form>

</div>

<h2 style="color:#FFF; text-align:center"><?php echo 
@$_GET['not_authorized']; ?></h2>

</body>


</html>

<?php

  include("includes/connect.php");
if(isset($_POST['login'])){
    $user_name = mysqli_real_escape_string($con,$_POST['user_name']);
    $user_pass = mysqli_real_escape_string($con,$_POST['user_pass']);


    $check_user = "select * from user where user_name='$user_name' AND user_password='$user_pass'";

    $run_user = mysqli_query($con,$check_user);



    if(mysqli_num_rows($run_user)>0){

        $_SESSION['user_name'] = $user_name;

        echo "<script>window.open('index.php?logged=You have successfully   
      Logged In','_self')</script>";
    }else{
        echo "<script>alert('Username or password is incorrect')</script>";
    }
  }
 ?>

And my table sql code.

CREATE TABLE IF NOT EXISTS `user` (
  `id` int(10) NOT NULL AUTO_INCREMENT,
  `user_name` varchar(100) NOT NULL,
  `user_password` varchar(100) NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB  DEFAULT CHARSET=latin1 AUTO_INCREMENT=8 ;

INSERT INTO `user` (`id`, `user_name`, `user_password`) VALUES
(7, 'theo', 'test');

So the password should not be shown as test.

Any ideas,

Thanks.

Please use PHP's [built-in functions to handle passwords](http://jayblanchard.net/proper_password_hashing_with_PHP.html). If you're using a PHP version less than 5.5 you can use the password_hash() [compatibility pack](https://github.com/ircmaxell/password_compat). You should also use prepared/parameterized queries `SELECT * FROM user WHERE id = ?` to avoid sql injection. On topic: select the user by name, then compare the stored hash using `password_verify()` — JimL, Apr 24 '16 at 07:58
**WARNING**: Writing your own access control layer is not easy and there are many opportunities to get it severely wrong. Please, do not write your own authentication system when any modern [development framework](http://codegeekz.com/best-php-frameworks-for-developers/) like [Laravel](http://laravel.com/) comes with a robust [authentication system](https://laravel.com/docs/5.2/authentication) built-in. At the absolute least follow [recommended security best practices](http://www.phptherightway.com/#security) and never store passwords as plain-text. — tadman, Apr 24 '16 at 08:54

score 0 · Accepted Answer · answered Apr 24 '16 at 08:03

0

You can convert the password $user_pass = mysqli_real_escape_string($con,$_POST['user_pass']); sha1 and pass it to query.

But better idea is collect the user information with user name and check the converted password(sha1) string with the password column value you retrieved from the query.

answered Apr 24 '16 at 08:03

Mujahidh

428
4
19

1

Thanks. I made it work:) – Theo Apr 24 '16 at 08:21
SHA1 is completely inadequate. At the very least use `password_hash`. – tadman Apr 24 '16 at 08:53

Security issue,php/mysql

1 Answers1