0

I'm making a registration/login for an android app. I want to implement a sha1 hash (I know its outdated) with a salt. The registration part is easy; it gets stored in the database like it should. But the login doesnt match the stored password.

Here is my PHP Code first

Registration

<?php
 require"init.php";
if(isset($_POST["user_mail"]) && isset($_POST["user_name"]) && 
isset($_POST["user_pass"])){
$user_mail = $_POST["user_mail"];
$user_name = $_POST["user_name"];
$salt = "2498j4f80249tj24tm8igj483";
$user_pass = $_POST["user_pass"].$salt;
$user_pass = sha1($user_pass);
$sql_query="insert into user_info 
values('$user_mail','$user_name','$user_pass');";

if(mysqli_query($con,$sql_query))
{
echo"<h3>Insertion success</h3>";
}else{

}
}
?>

Login

<?php
 require"init.php";
 $user_mail =$_POST["user_mail"];
 $salt = "2498j4f80249tj24tm8igj483";
 $user_pass =$_POST["user_pass"].$salt;
 $user_pass =sha1($user_pass);

 $sql_query ="select user_name from user_info where user_mail 
  like'$user_mail'
 and user_pass like'$user_pass';";

 $result = mysqli_query($con,$sql_query);

 if(mysqli_num_rows($result)>0)
 {
 $row = mysqli_fetch_assoc($result);
  echo"Login success";

}else{
 echo" Login failed...Try Again";

 }
 ?>

The Login always fails. If you need my Android code, I'll post it. It's an asynchtask with httpurlconnection , buffered reader, etc.

I appreciate your help. Have a nice day

TriskalJM
  • 2,393
  • 1
  • 19
  • 20
King Bufo
  • 181
  • 1
  • 13
  • 3
    You're already using an API that supports **prepared statements** with bounded variable input, you should utilize parameterized queries with placeholders (prepared statements) to protect your database against [SQL-injection](http://stackoverflow.com/q/60174/)! Get started with [`mysqli::prepare()`](http://php.net/mysqli.prepare) and [`mysqli_stmt::bind_param()`](http://php.net/mysqli-stmt.bind-param). – Qirel Jul 06 '17 at 09:36
  • 4
    Using old methods of encrypting passwords (such as `sha1`, `md5`) is **very bad security** - you should use newer methods for hashing your passwords. PHP has a built-in [`password_hash()`](http://php.net/manual/en/function.password-hash.php) function which is a lot more secure! – Qirel Jul 06 '17 at 09:36
  • 1
    Shouldn't there be a space between `like'$user_mail'`? And you should enable error-reporting by adding `error_reporting(E_ALL); ini_set('display_errors', 1);` at the top of your file(s), directly after ` – Qirel Jul 06 '17 at 09:37
  • ___While not condoning the use of `sha1`___ something to check, as you are doing no error checking, maybe the column you are storing the hashed password in is not big enough to hold a `sha1` hash, and therefore the hash is getting shortened in the INSERT and therefore never matches in the SELECT – RiggsFolly Jul 06 '17 at 09:40
  • @JayminsFakeAccount — `md5()` is worse than `sha1()`. – Quentin Jul 06 '17 at 15:26

0 Answers0