无法使用 sha1 散列密码登录

Question

I have used sha1 to hash a password upon registration, here's a snippet of code from that:

$password = sha1 ($_POST['password']);

    $query = "INSERT INTO admin (forename,surname,email,securityq, securitya,password) VALUES ('$forename','$surname','$email','$securityq','$securitya','$password')";

And here is my code at the login form:

$email = $_POST['email'];
$password = sha1($_POST['pass']);

$query = mysql_query ("SELECT * FROM admin WHERE email = '$_POST[email]' AND password = $password  ");

This wont allow me to log in still, my 'invalid login credentials' is the only result from trying to log in.

Answer 1

You need to hash the input password before select

$email = $_POST['email'];
$password = md5($_POST['pass']);

$query = mysql_query ("SELECT * FROM admin WHERE email = '$_POST[email]' AND password = '$password'");

Answer 2

Just hash the password before you compare it with the password in the database.

$email = mysql_real_escape_string($_POST['email']);
$password = md5($_POST['pass']);

$query = mysql_query ("SELECT * FROM admin WHERE email = '$email' AND password = '$password'");

..and don't forget to escape your input!

And instead of md5 you should think about using password_hash and password_verify , because md5 isn't secure any more.

Answer 3

Juste hash before request.

$email = $_POST['email'];
$password = md5($_POST['pass']);

$query = mysql_query ("SELECT * FROM admin WHERE email = '$_POST[email]' AND password = '$_POST[pass]'  ");

And an advice : you should add a salt at register like :

$password = md5 ($_POST['password'].'mysalt123465');

$query = "INSERT INTO admin (forename,surname,email,securityq, securitya,password) VALUES ('$forename','$surname','$email','$securityq','$securitya','$password')";

So its harder to crack the pass with brute force.

And sha1 is better than md5 for security.

Answer 4

Hash your password using md5() function before comparing.

Replace following line:

$password = $_POST['pass'];

With:

$password = md5($_POST['pass']);

This should resolve your issue. Bdw I would like to suggest you to use phpass library.

Answer 5

对于密码，请使用password_hash()因为md5(), sha1(), sha256()被认为是弱盐并且很容易被破解