sha('$password') return with empty set

Question

I have two problems. problem one: I am trying to create a registeration form where users can register with my website. when I run this mysql statement a get dublicate entry found error:

$sql "insert into users(username, password) values('$username, sha('$password'))";

Duplicate entry 'da39a3ee5e6b4b0d3255bfef95601890afd80709' for key 'password' despite the fact that I changed the the string sha('$password') several times. please help.

else{
   include("databaseconnection.php");
   $databaseconnect = connect($host,$user,$password,$database)
      or die("couldnot connect to database serever.\n");
   $database_select = mysql_select_db($database,$databaseconnect)
      or die("could not select dabases.\n " .mysql_error());
   $query2 = "insert into company(username,password)
      values('$username',sha1('$password'))";
   $result2 = mysql_query($query2,$databaseconnect);
   echo "you have been registered as '$companyloginName' <br/>";
   header("Location:/index.php");

my login php script is as follow:

   $result ="select username, password form users where username ='$username' and password = sha('$password');
    if(mysql_num_rows($reuslt)==1){
   echo"welcome '$username";
    }

Why do you have an UNIQUE constraint on the password field? Isn't it possible for multiple users to have the same password? — Emil Vikström, Jun 25 '11 at 14:45
thank you for asking that...I actualy removed the uniqueconstraint on the pasword field, but the what is happeing is that users with different passwords can login each others account becuase sha('$password') and sha('$password1') have same 'da39a3ee5e6b4b0d3255bfef95601890afd80709'. — sareeye, Jun 25 '11 at 14:59
adding to what @Emil said, BE SURE to allow people to have the same password, or at least don't show messages in case they enter a password already present, because it would make a nice security hole in your app — Damien Pirsy, Jun 25 '11 at 15:44
1. `$databaseconnect` is commented out. 2. You're missing an `=` and a closing quote in your `$sql` variable. — esqew, Jun 25 '11 at 16:38
For the sake of security, please **do not hash your passwords that way**! [Read this answer on how to securely hash passwords](http://stackoverflow.com/questions/6340105/how-can-we-create-a-fairly-secure-password-hash-in-php/6340197#6340197) — Andrew Moore, Jun 25 '11 at 20:02

score 1 · Answer 1 · edited May 23 '17 at 11:55

First, I would STRONGLY advice against using MySQL's sha() or PHP's sha1() alone for password hashing purposes. This is a huge security risk for your users if your database gets compromised.

Please take the time to read my previous answer on the subject of password hashing to properly secure your data.

Second, your code is vulnerable to an SQL Injection attack. Use mysql_real_escape_string() to escape the variables you are going to put in your query before-hand.

$query2 = "insert into company(username,password)
  values('" . mysql_real_escape_string($username) .
          "', sha1('" . mysql_real_escape_string($password) . "'))";

Third, your $password variable is being overwritten by your databaseconnection.php file.

include("databaseconnection.php");
$databaseconnect = connect($host,$user, $password ,$database);

To put emphasis...

$databaseconnect = connect($host,$user,$password,$database);

Therefore, the $password used later on in your query still contains the password for the database connection, not your user's password.

Change the name of your variable in databaseconnection.php or even better still, use an array to hold all the configuration.

$dbConnectParams = array('host' => 'localhost'
                         'user' => 'myUser',
                         'pass' => 'myPassword',
                         'db' => 'myDB');

Then, change your code as follows:

include("databaseconnection.php");
$databaseconnect = mysql_connect($dbConnectParams['host'],
                           $dbConnectParams['user'],
                           $dbConnectParams['pass'],
                           $dbConnectParams['db']);

Since you are already passing the database when calling mysql_connect(), you do no need to call mysql_select_db().

Emil Vikström · Accepted Answer · 2011-06-25T19:42:30.757

0

da39a3ee5e6b4b0d3255bfef95601890afd80709 is the sha1 hash of the empty string. Make sure that you actually insert the password into your SQL query, for example by echoing the query instead of sending it to the SQL server.

Edit With the new information added to your question, check out these two lines:

include("databaseconnection.php");
$databaseconnect = connect($host,$user,$password,$database)

Here, $password is the password used to connect to the database. The inclusion of databaseconnection.php probably overwrites what was previously in the $password variable.

Try to echo $query2 and you'll probably see it for yourself, that the SQL query doesn't include any password at all or that the password therein is not the same as the one entered by the user.

edited Jun 25 '11 at 19:42

answered Jun 25 '11 at 15:20

Emil Vikström

90,431
16
141
175

thank you emil, but I can see the username is actually inserted in the database, theis string'da39a3ee5e6b4b0d3255bfef95601890afd80709' is inserted in the password column. all the others columns of the table users are correctly populated. – sareeye Jun 25 '11 at 15:52
here is the php code:else{ include("databaseconnection.php"); /*$databaseconnect = connect($host,$user,$password,$database) or die("couldnot connect to database serever.\n");*/ $database_select = mysql_select_db($database,$databaseconnect) or die("could not select dabases.\n " .mysql_error()); $query2 = "insert into company(username,password,) values('$username',sha1('$password'))"; $result2 = mysql_query($query2,$databaseconnect); echo "you have been registered as '$companyloginName'
"; header("Location:/index.php"); – sareeye Jun 25 '11 at 15:55
@sareeye, Please update the question to reflect this, then we can answer. – Inca Jun 25 '11 at 16:09
hi @inca, I did updated the question.I really do not see any problem with my php code, I do not understand why password column isn't populated? any help will be greately appreciated. – sareeye Jun 25 '11 at 16:39

score 0 · Answer 3 · answered Jun 25 '11 at 16:43

Guessing from the commented line, it may be possible you accidentally use the connection password that is set in 'databaseconnection.php' rather than the user password - you don't show how you initialize the $password string.

Also note the comma in your sql that shouldn't be there:

insert into company(username,password,)
                                     ^

I have not tested if that is the cause, but you should probably get rid of it and test it again.

Also, seriously consider pdo / prepared statements to prevent sql-injections, even more so if you want to insert the password from user input.

thank you very much. you were right I was accidentally using the connection password. well done thanx again — sareeye, Jun 25 '11 at 17:14

sha('$password') return with empty set

3 Answers3