Hi,
I am using sha1 for a registration form like this:
if($_POST['pass1']==$_POST['pass2']){
$password = sha1(mysqli_real_escape_string($connection, $_POST['pass1']));
}
// This inserts an encrypted row in the DB, and works fine
When i want to log in, well I cant login..This is the script:
$email = mysqli_real_escape_string($connection, $_POST['email']);
$password = sha1(mysqli_real_escape_string($connection, $_POST['password']));
$sql=("SELECT id, email, username FROM users WHERE email='$email' AND pass='$password' LIMIT 1");
$result=mysqli_query($connection, $sql);
$found_user = mysqli_fetch_array($result);
// Mysql_num_row tæller rækkerne
$count=mysqli_num_rows($result);
// HVIS $result matchede $email $password, table row must be 1 row
if($count==1){
// Register $email, $password and redirect to file "../index.php"
session_regenerate_id['id']; // IS THIS CORRECT?
$_SESSION['username'] = $found_user['username'];
$_SESSION['id'] = $found_user['id'];
header("location:../index.php");
exit();
}
}
I thought i could tjeck the user input in the login form, and then sha1 the password, and check it against the registered sha1 password, that lies in the DB. But It doesn log me in.
If I remove the sha1, I can log in without any problem. So the problem lies in my way of comparing/retrieving the value from the login form, and make it "sha1-looking", and then test it.
What am I missing...?
Not working in login script:
// Beskyt imod mysql injection OG lav sha1 encryption på password
$email = mysqli_real_escape_string($connection, $_POST['email']);
$password = sha1(mysqli_real_escape_string($connection, $_POST['password']));
$sql=("SELECT id, email, username FROM users WHERE email='$email' AND pass='$password' LIMIT 1");