Password protection area

wazzaday · July 9, 2011, 2:48pm

i am trying to protect my admin area via a password.

how can i test against the password stores on the mySQL database. the password on the database’s function is set to sha1.

here is my code:


$query = "SELECT * FROM text WHERE Name='pass'";
$result = mysql_query($query);

while($row = mysql_fetch_array($result))
{
  $pass = $row['Text'];
}
$password = $_POST['pass'];
if ($password == $pass)
{
	echo "correct";
}else{
	echo "no";
}

AnthonySterling · July 9, 2011, 3:02pm


<?php
$res = mysql_query(sprintf(
  "SELECT Name FROM text WHERE Name = '%s' LIMIT 1;",
  mysql_real_escape_string(sha1($_POST['pass']))
));

if(1 === mysql_num_rows($res)){
  echo 'yes';
}else{
  echo 'no';
}

wazzaday · July 9, 2011, 3:17pm

thanks for the reply, sorry to be a noob but could u explain this code please

kaamaru · July 9, 2011, 8:39pm

Are you saying that the password is stored in the database as a sha1 hash?
If so, try this:

$query = "SELECT * FROM text WHERE Name='pass'"; 
$result = mysql_query($query); 

while($row = mysql_fetch_assoc($result))
    $pass = $row['Text']; 

if (sha1($_POST['pass']) == $pass)
    echo "correct"; 
else
    echo "no";

I Added sha1() to your $_POST[‘pass’] which will convert it into a sha1 hash.
I changed mysql_fetch_array() to mysql_fetch_assoc() as you seem to be using an associative array.
Cleaned up the code a bit.

If you have a lot of admins, I advise that you match the passwords in the query rather than fetching all the passwords from the database and then matching. It will save memory and CPU.