User Authentication (Using sha1)_问答_开发者_运维开发者技术经验分享

开发者 https://www.devze.com 2023-01-16 13:56 出处：网络

I am creating a login form. I am learning how to use SHA-1 to encrypt passwords. I used SHA-1 to 开发者_JS百科encrypt the password that the user created during registration. In the database I inputted pretend username and password data, to have something to work with. I'm having problems getting my login form to work.

// Database Connection

$con = getConnection();

$sqlQuery = mysql_query("SELECT count(*) from Customers
                         WHERE Email = '$email' and Password = sha1('$passLogin')") 

// Executing query
$result = $con->mysql_result($sqlQuery, "0");

if ($result == 0) {
    echo "Can not login, try again.";
} else {
    echo "Login Good!";
}

I am learning how to use sha1 to encrypt passwords.

... use sha1 to hash passwords. Hashing is different from encryption. Encryption is reversible, hashing isn't. (or shouldn't be). Now, ...

You have to make sure the passwords in the database are hashed.
Usually you do the hashing on the PHP side.
You should use salting to make rainbow table attacks unfeasible. Read Just Hashing is Far from Enough for Storing Password

That said, I would do the authentication part like this:

$hashedAndSalted = sha1($passLogin . $yourSalt);

$sqlQuery = mysql_query("SELECT Email FROM Customers WHERE Email = '$email' AND Password = '$hashedAndSalted'");

if (mysql_num_rows($sqlQuery) == 1) {
    echo 'Login successful';
} else  {
    echo 'Could not login';
}

Replace your query with this:

$sqlQuery = mysql_query("SELECT count(*) from Customers
                WHERE Email = '".$email."' and Password = '".sha1($passLogin)."'");

Remember to always concatenate strings and variables manually, don't rely on PHP to do it for you. Also, you forgot the semicolon ; after that line. Every line must be appended with a semicolon in PHP.

On a separate note if you have not sanitized your form inputs you are wide open for SQL injection.

If user enters the following for Email field: