having an error invalid login or username after adding sh1 into my script

Question

i have made my own login authentication script into php, it's working fine when i use it without using "sh1"... and successfully uploaded username and password into my database, but i want to encrypt password into database due to security reason, now i'm using $hash_key=sha1($_POST['password']); into script, when i check into database it successfully encrypted see my pic..

But as i logged in, it's giving me an error

So, i decided to remove "sh1" and directly save my password into database once to check..

and it's working fine:

But using sha1 it's working and showing an error message invalid username and password..

Please help, what's wrong into my code??

Here is a code for insert.php

<?php
$con=mysqli_connect("localhost","root","Bhawanku","members");
// Check connection
if (mysqli_connect_errno())
{
    echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$hash_key=sha1($_POST['password']);
$sql="INSERT INTO admin
VALUES
('', '$_POST[username]','$hash_key')";

if (!mysqli_query($con,$sql))
{
    die('Error: ' . mysqli_error($con));
}
echo "1 record added";

mysqli_close($con);
?> 

and here is a code for login.php

<?php
include("config.php");
session_start();
if($_SERVER["REQUEST_METHOD"] == "POST")
{

// username and password sent from Form
$myusername=addslashes($_POST['username']);
$mypassword=addslashes($_POST['password']);

$sql="SELECT * FROM admin WHERE username='$myusername' AND passcode='.sha1[$mypassword]' ";
$result=mysql_query($sql);
$row=mysql_fetch_array($result);
$active=$row['active'];
$count=mysql_num_rows($result);


// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1)
{
$_SESSION["myusername"];
$_SESSION['login_user']=$myusername;

header("location: welcome.php");
}
else
{
echo "Your Login Name or Password is invalid";
}
}
?>
<form action="" method="post">
    <label>UserName :</label>
    <input type="text" name="username"/><br />
    <label>Password :</label>
    <input type="password" name="password"/><br/>
    <input type="submit" value=" Submit "/><br />
</form>

Answer 1

This line in select query

passcode='.sha1[$mypassword]'

$sql="SELECT * FROM 
admin WHERE username='$myusername' 
AND passcode='.sha1[$mypassword]' ";

should be

$sql="SELECT * FROM 
admin WHERE username='$myusername' 
AND passcode='".sha1($mypassword)."'";

UPDATE

The problem appears to be while saving the password the field was set to varchar(30) sha1() will return string longer than that. so that needs to be increased. And the password needs to be re-inserted since old passwords will not work.

Now

$myusername=addslashes($_POST['username']);
$mypassword=addslashes($_POST['password']);

Should be replaced as

$myusername=mysql_real_escape_string(trim($_POST['username']));
$mypassword=mysql_real_escape_string(trim($_POST['password']));

The query is already mentioned above.

And if there are more that one user with the same username and password then the condition

if($count==1)

will fail

Answer 2

For password field you don't need to use addslashes()

$mypassword = sha1($_POST['password']);

$query = "SELECT * 
  FROM admin 
  WHERE username = '$myusername' AND passcode ='$mypassword'";
$rs = mysql_query($query);
if ($rs && mysql_num_rows($rs) > 0)
{
  // login ok
}
else {
  // login failed
}

Answer 3

Your query fromation has problem try below line and check

$sql="SELECT * FROM admin WHERE username='".$myusername."' AND passcode='".sha1[$mypassword]."'";