0
    <?php
if(isset($_POST["submit"])){    
    $userid = htmlspecialchars($_POST["userid"]);
    $password = htmlspecialchars($_POST["wachtwoord"]);
    $passwordcrypt = sha1($password);

       $sql = "INSERT INTO user (userid, wachtwoord) VALUES ($userid, $passwordcrypt);";

    $conn->exec($sql);
    echo "New record created successfully";
}
?>

When I use the 

$passwordcrypt = sha1($password);

I get the error:

Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42S22]: Column not found: 1054 Unknown column '356a192b7913b04c54574d18c28d46e6395428ab' in 'field list'' in C:\xampp\htdocs\school\php\registration.php:30 Stack trace: #0 C:\xampp\htdocs\school\php\registration.php(30): PDO->exec('INSERT INTO use...') #1 {main} thrown in C:\xampp\htdocs\school\php\registration.php on line 30

If I dont use the SHA1 then it works, why doesn't it work this way?

Rene Pot
  • 24,681
  • 7
  • 68
  • 92
LeondenBoer
  • 49
  • 11
  • 1
    Your password is not quoted, which is causing that exception. Use a prepared statement instead. – Don't Panic Apr 12 '17 at 15:24
  • 5
    **Danger**: You are using [an unsuitable hashing algorithm](http://php.net/manual/en/faq.passwords.php) and need to [take better care](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) of your users' passwords. – Quentin Apr 12 '17 at 15:24
  • 4
    **Danger**: You are **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that you need to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Apr 12 '17 at 15:24
  • 5
    `htmlspecialchars` is for preparing data for inserting into an HTML document, not for inserting into a database (and escaping for a database should be done immediately before putting into a database, i.e. **after** hashing) – Quentin Apr 12 '17 at 15:25
  • 1
    You should quote yoir password as a string `'$passwordcrypt'` – VTr Apr 12 '17 at 15:26
  • 4
    No you shouldn't. You should use a prepared statement. – Don't Panic Apr 12 '17 at 15:26
  • 1
    ***You shouldn't use [SHA1 password hashes](https://konklone.com/post/why-google-is-hurrying-the-web-to-kill-sha-1)*** or ***[MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure)*** and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. Make sure you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Apr 12 '17 at 16:01

0 Answers0