[SOLVED] having trouble querying sha1 passwords from database in where clause

cluce · June 13, 2008

I am having trouble matching username and password that is in database.

On my first page I am using this query to login:

//trims and strips tags and escapes fields
$checkuser = mysqli_real_escape_string($mysqli,trim(strip_tags($_POST['username'])));
$_SESSION['password'] = $checkpassword = mysqli_real_escape_string($mysqli,trim(strip_tags($_POST['password'])));

//create and issue the query
$sql = "SELECT username, f_name, l_name, password FROM employees WHERE username = '$checkuser' AND password = sha1('$checkpassword.STR_PWSALT') LIMIT 1";
$result = @mysqli_query($mysqli, $sql) or die(header("Location: error.html"));

and on every other page I am including an authentication page with the following:


//authenticate employee
$val = "SELECT username, password FROM employees WHERE username = '" . $_SESSION['validate']."' AND password = '".sha1($_SESSION['password'].STR_PWSALT)."'";
        $auth = mysqli_query($mysqli,$val)  or die(header("Location: error.html"));	
	 if	(mysqli_num_rows($auth) != 1) { 
   $_SESSION['authenticate'] = "<font color='red'>You must be logged in</font>";
  mysqli_close($mysqli);
  header ("Location: employee_resource.php5");
      exit(); 
}
echo($val);

The probelm I am having is this "AND password = '".sha1($_SESSION['password'].STR_PWSALT)."'"; is not matching the password thats in the database. I would think it would be the samne as the query used on my first page to login but its not because it redirects me to the login everytime. Also, when I echo($val) the query, the hash password is diiferent from what I see in the databse. can someone see tell me why its not matching up with my first query's password?

I am able login without the authentication page. I am just using it for added security.

craygo · June 13, 2008

not a very good idea to hold passwords in the session. Why not after the person is authenticated, you just set a value

$_SESSION['auth'] = 1;

Now just check to see if the value is set and a value of 1

if(isset($_SESSION['auth']) && $_SESSION['auth'] == 1){
// run code

} else {
// redirect to login page
header('Location:login.php');
}

Ray

Rayhan Muktader · June 13, 2008

Your . may not be getting evaluated. Try this and see if it works.

<?php
$p = mysqli_real_escape_string($mysqli,trim(strip_tags($_POST['password'])));
$p = $p . STR_PWSALT;

$sql = "SELECT username, f_name, l_name, password FROM employees WHERE username = '$checkuser' AND password = sha1('$checkpassword.STR_PWSALT') LIMIT 1";
$result = @mysqli_query($mysqli, $sql) or die(header("Location: error.html"));

?>

cluce · June 13, 2008

not a very good idea to hold passwords in the session. Why not after the person is authenticated, you just set a value
$_SESSION['auth'] = 1;
Now just check to see if the value is set and a value of 1
if(isset($_SESSION['auth']) && $_SESSION['auth'] == 1){
// run code

} else {
// redirect to login page
header('Location:login.php');
}
Ray

thanks. I will do this.

cluce · June 13, 2008

Your . may not be getting evaluated. Try this and see if it works.

<?php
$p = mysqli_real_escape_string($mysqli,trim(strip_tags($_POST['password'])));
$p = $p . STR_PWSALT;

$sql = "SELECT username, f_name, l_name, password FROM employees WHERE username = '$checkuser' AND password = sha1('$checkpassword.STR_PWSALT') LIMIT 1";
$result = @mysqli_query($mysqli, $sql) or die(header("Location: error.html"));

?>

I am able to login. its the authentication code to check for a valid login user on all my other pages that wasnt working.

cluce · June 13, 2008

not a very good idea to hold passwords in the session. Why not after the person is authenticated, you just set a value
$_SESSION['auth'] = 1;
Now just check to see if the value is set and a value of 1
if(isset($_SESSION['auth']) && $_SESSION['auth'] == 1){
// run code

} else {
// redirect to login page
header('Location:login.php');
}
Ray

I ran into another problem. The username and password is both the primary key because the username alone can be dupicates. SO this will not work. I have to set 2 sessions to use across my web appliction to identify and authentiacte a user. I might be able to use another field besides the password to set as a session to match up in where clause wheerever needed.

conker87 · June 13, 2008

not a very good idea to hold passwords in the session. Why not after the person is authenticated, you just set a value
$_SESSION['auth'] = 1;
Now just check to see if the value is set and a value of 1
if(isset($_SESSION['auth']) && $_SESSION['auth'] == 1){
// run code

} else {
// redirect to login page
header('Location:login.php');
}
Ray
I ran into another problem. The username and password is both the primary key because the username alone can be dupicates. SO this will not work. I have to set 2 sessions to use across my web appliction to identify and authentiacte a user. I might be able to use another field besides the password to set as a session to match up in where clause wheerever needed.

Well thats a stupid idea. Use the ID of the user too if you really need to have duplicated usernames.

Sign In

[SOLVED] having trouble querying sha1 passwords from database in where clause

Recommended Posts

cluce

Link to comment

Share on other sites

craygo

Link to comment

Share on other sites

Rayhan Muktader

Link to comment

Share on other sites

cluce

Link to comment

Share on other sites

cluce

Link to comment

Share on other sites

cluce

Link to comment

Share on other sites

conker87

Link to comment

Share on other sites

Archived

Browse

Activity

Important Information