<?require_once('../dbconfig.inc');require_once('../dbconnect.inc');define(

1. <?
2. require_once('../dbconfig.inc');
3. require_once('../dbconnect.inc');
4. define('SALT_LENGTH', 9);
5.  
6. function generateHash($plainText, $salt = null)
7. {
8.     if ($salt === null)
9.     {
10.         $salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH);
11.     }
12.     else
13.     {
14.         $salt = substr($salt, 0, SALT_LENGTH);
15.     }
16.     return $salt . sha1($salt . $plainText);
17. }
18.  
19. //username and password from form (in plain text)
20. $myusername = $_POST['myusername'];
21. $mypassword = $_POST['mypassword'];
22.  
23. //hash password with salt+sha-1 (first nine chars of the string = salt)
24. $result = mysql_query("SELECT * FROM members WHERE username = '$myusername'");
25. while ($row = mysql_fetch_array($result))
26. {
27.    $password = $row['password'];
28.    $salt = substr($password, 0, SALT_LENGTH);
29.    $encrypted_password = generateHash($mypassword, $salt);
30. }
31.  
32. //protect from mysql injections
33. $myusername = stripslashes($myusername);
34. $myusername = mysql_real_escape_string($myusername);
35.  
36. $mypassword = stripslashes($encrypted_password);
37. $mypassword = mysql_real_escape_string($encrypted_password);
38.  
39. //compare username and password with db-entry
40. $sql = "SELECT * FROM $table WHERE username = '$myusername' AND password = '$mypassword'";
41. $result = mysql_query($sql);
42.  
43. $count = mysql_num_rows($result);
44.  
45. if ($count == 1)
46.     //login ok
47. else
48.     //login failed
49.  
50. ?>