Issues with using SHA1 password encryption in PHP/mysql

Question

I have a simple script for user login. I have the passwords encrypted as SHA1 in mySQL database table (using charset utf8_unicode_ci).

When I run "$q" in the database with values it returns result all right. But through the script even after entering correct credentials, I am not able to login. Also, it is working fine if I remove the encryption at both places (script and database). Same problem occurs if I use MD5 instead.

I am not sure what I am missing at. I tried to echo the SHA1 output and it comes out to be different than the encrypted password visible in the database. I have checked for any extra spaces in my input as well. Please help me understand what is wrong. Let me know if you need anything else. Thanks in advance!

connection.php holds the login credentials to the database and the below line:

$dbc = mysqli_connect($servername, $username, $password, $dbname) or die("Connection failed: " . mysqli_connect_error());

Below is the login page : "login.php"

<?php 

#Start the session:
session_start();
include('../setup/connection.php'); 

if($_POST) {
    $q = "select * from users where email = '$_POST[email]' and password = SHA1('$_POST[password]');";
    $r = mysqli_query($dbc, $q);

    if (mysqli_num_rows($r) == 1) {
        $_SESSION['username'] = $_POST['email'];
        header('Location: index.php');
    }
    else {$msg="Username/Password incorrect. Please try again!";}
}
?>

<!DOCTYPE html>
<html lang="en">
  <head>

    <meta charset="utf-8">
    <title>Admin Login</title>
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <?php include('config/css.php'); ?>
    <?php include('config/favicon.php'); ?>
    <?php include('config/js.php'); ?>
    <!--[if lt IE 9]>
    <script src="//cdnjs.cloudflare.com/ajax/libs/html5shiv/r29/html5.min.js"></script>
    <![endif]-->

  </head>

  <body>

    <!--NAVIGATION BAR-->
    <?php //include(D_TEMPLATE.'/navigation.php'); ?>
    <div class="container">


      <div class="col-lg-4 col-lg-offset-4">
        <div class="panel panel-info">
          <div class="panel-heading">
            <h1 class="lato fs20"><strong>Login</strong></h1>
          </div>
          <div class="panel-body">
            <?php echo $msg; ?>
            <form role="form" method="post" action="login.php">
              <div class="form-group">
                <label for="email">Email address</label>
                <input type="email" class="form-control" id="email" name="email" placeholder="Enter email">
              </div>
              <div class="form-group">
                <label for="password">Password</label>
                <input type="password" id="password" class="form-control" name="password">
              </div>

              <button type="submit" class="btn btn-default">Submit</button>
            </form>
          </div>
        </div>
      </div>
    </div>
  </body>

</html>

Answer 1

For the "$q" variable, you should use php sha1 function:

 $q = "select * from users where email = '$_POST[email]' and password = '" . sha1($_POST[password]) . "'";

But as Fred-ii said you really shoud (have to) protect your variables before. For example :

$_POST['email'] = mysqli_real_escape_string($_POST['email']);

It will protect your variable against SQL injection (https://php.net/manual/en/mysqli.real-escape-string.php)