matthewbonline — 2011-05-24T06:40:41-04:00 — #1
I have been using the code from the login page example at: Create Login Admin & Logout Page in PHP w/ SESSION n MySQL | InTechgrity
This is working fine, apart from the password checking bit. It uses the code:
$sql="SELECT * FROM login_admin WHERE user_name='$myusername' and user_pass=SHA('$mypassword')";
The code SHA('$mypassword')"; looks like it does something 'fancy' making the site more secure. But I cannot get the code to work with SHA. I can get it working without (by using user_pass='$mypassword'";)
What is SHA supposed to do and how can I get it working?
immerse — 2011-05-24T06:44:33-04:00 — #2
SHA is a Secure Hashing Algorithm.
It makes the password unreadable, and even if you know the SHA1, you cannot find the password (i.e. it's a one-way street).
If you look in your database, what do the passwords look like? 'password' or 'test123'? Or long strings consisting of 40 characters?
guido2004 — 2011-05-24T06:55:32-04:00 — #3
What does that mean? Do you get an error?
matthewbonline — 2011-05-24T07:06:02-04:00 — #4
I have just tried the code again with user_pass= SHA('$mypassword')"
and it is now working. But I still do not understand what it does!?
What does it do? If I do not use it will it make much difference?!
guido2004 — 2011-05-24T07:09:52-04:00 — #5
scallioxtx — 2011-05-24T07:11:23-04:00 — #6
michael_morris1 — 2011-05-24T09:02:26-04:00 — #7
For more information on the theory of hashes in general there's this wiki article.
Note that the reason site admins use hashes instead of reversible encryption most of the time is for personal liability. Users tend to use passwords over and over - unfortunately this means they might use the same password at your site as they use at their bank! By hashing the password, especially by hashing and salting it, you destroy the original password information so if someone does compromise your database the liability is minimal.