RalphLeMouf

besides the mix-up of caps. does anyone know if this is close or should I try a different method all together?

Good eye, thanks. The $_POST syntax is password and in the db it's Password for example. I still can't sign in

Hi, I am limbo with this one. What I have makes sense to me, but I know I'm missing something or doing something wrong I have been able to hash passwords with salt by new people registering to my site by doing this: if(!$error) { $alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcedfghijklmnopqrstuvwxyz1234567890"; $rand = str_shuffle($alpha); $salt = substr($rand,0,40); $hashed_password = sha1($salt . $_POST['password']); $query = "INSERT INTO `cysticUsers` ( `FirstName`, `LastName`, `Email`, `Password`, `salt`, `RelationshipToCF`, `State`, `Gender`, `Birthday`, `Status` )VALUES( '" . mysql_real_escape_string($_POST['firstName']) . "', '" . mysql_real_escape_string($_POST['lastName']) . "', '" . mysql_real_escape_string($_POST['email']) . "', '" . $hashed_password . "', '" . $salt . "', '" . mysql_real_escape_string($_POST['RelationToCF']) . "', '" . mysql_real_escape_string($_POST['State']) . "', '" . mysql_real_escape_string($_POST['sex']) . "', '" . mysql_real_escape_string($_POST['DateOfBirth_Year'] . "-" . $_POST['DateOfBirth_Month'] . "-" . $_POST['DateOfBirth_Day']) . "', 'pending' )"; mysql_query($query, $connection); I have been able to to update EXISTING users passwords by doing this: $query = "SELECT * FROM `cysticUsers`"; $request = mysql_query($query,$connection); while($result = mysql_fetch_array($request)) { $alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcedfghijklmnopqrstuvwxyz1234567890"; $rand = str_shuffle($alpha); $salt = substr($rand,0,40); $hashed_password = sha1($salt . $result['Password']); $user = $result['id']; $query2 = "UPDATE `cysticUsers` SET `salt` = '$salt' WHERE `id` = '$user'"; $request2 = mysql_query($query2,$connection) or die(mysql_error()); $query3 = "UPDATE `cysticUsers` SET `encrypted_passwords` = '$hashed_password' WHERE `id` = '$user'"; $request3 = mysql_query($query3,$connection) or die(mysql_error()); } Now, I want to be able to SIGN BACK IN with the existing password and I am failing miserably by doing this: $query = "SELECT `salt`,`id`,`email`,`password` FROM `cysticUsers` WHERE `Email` = '" . $email . "' AND `Password` = '" . $password . "' && `Status` = 'active' LIMIT 1"; $request = mysql_query($query,$connection) or die(mysql_error()); $email = mysql_real_escape_string($_POST['email']); $password = mysql_real_escape_string($_POST['password']); if(@mysql_num_rows($request)) { $row = mysql_fetch_assoc($request); if (sha1($row['salt'] . $_POST['password']) === $row['Password']) { $_SESSION['CLIFE']['AUTH'] = true; $_SESSION['CLIFE']['ID'] = $result['id']; // UPDATE LAST ACTIVITY FOR USER $query = "UPDATE `cysticUsers` SET `LastActivity` = '" . date("Y-m-d") . " " . date("g:i:s") . "' WHERE `id` = '" . mysql_real_escape_string($_SESSION['CLIFE']['ID']) . "' LIMIT 1"; mysql_query($query,$connection); if(!empty($_POST['return'])) { header("Location: " . $_POST['return']); }else{ header("Location: CysticLife-Dashboard.php?id=" . $_SESSION['CLIFE']['ID']); } } }else{ $_SESSION['CLIFE']['AUTH'] = false; $_SESSION['CLIFE']['ID'] = false; } } I've been scouring resources and am stuck on this. I have a deadline to meet that I am behind on. Needless to say I'm pulling my hair out and some help with this would be GREATLY appreciated. Thank you in advance!