Login coding not working

watson100

Hello,

I am wanting to encrypt my password that is submitted in the login form with sha512 and salt, is this correct as at the moment when i enter the incorrect information and submit it just loads a blank page which I'm assuming there is something wrong with my code.

<?php
session_start(); // Starting Session
$error=''; // Variable To Store Error Message
if (isset($_POST['submit'])) {
if (empty($_POST['email']) || empty($_POST['password'])) {
$error = "Email or Password is invalid";
}
else
{
// Define $email and $password
$username=$_POST['email'];
$password=$_POST['password'];
$salt = "/GTyod58&aw|+fjv93%~\RFewo23fhe^";
$encryptpass=sha512($salt.$password);
// To protect MySQL injection for Security purpose
$email = stripslashes($email);
$password = stripslashes($password);
$email = mysql_real_escape_string($email);
$password = mysql_real_escape_string($password);
// Establishing Connection with Server by passing server_name, user_id and password as a parameter
$connection = mysql_connect("localhost", "user", "pass");
// Selecting Database
$db = mysql_select_db("database", $connection);
// SQL query to fetch information of registerd users and finds user match.
$query = mysql_query("select * from adminlogin where password='$encryptpass' AND email='$email'", $connection);
$rows = mysql_num_rows($query);
if ($rows == 1) {
$_SESSION['email']=$email; // Initializing Session
header("location: test.com/profile.php"); // Redirecting To Other Page
} else {
$error = "Email or Password is invalid";
}
mysql_close($connection); // Closing Connection
}
}
?>

laserlight

For starters, you need to format your code properly to make it readable, e.g.,

<?php
session_start(); // Starting Session

$error=''; // Variable To Store Error Message
if (isset($_POST['submit'])) {
    if (empty($_POST['email']) || empty($_POST['password'])) {
        $error = "Email or Password is invalid";
    }
    else
    {
        // Define $email and $password
        $username=$_POST['email'];
        $password=$_POST['password'];
        $salt = "/GTyod58&aw|+fjv93%~\RFewo23fhe^";
        $encryptpass=sha512($salt.$password);

    // To protect MySQL injection for Security purpose
    $email = stripslashes($email);
    $password = stripslashes($password);
    $email = mysql_real_escape_string($email);
    $password = mysql_real_escape_string($password);

    // Establishing Connection with Server by passing server_name, user_id and password as a parameter
    $connection = mysql_connect("localhost", "user", "pass");
    // Selecting Database
    $db = mysql_select_db("database", $connection);

    // SQL query to fetch information of registerd users and finds user match.
    $query = mysql_query("select * from adminlogin where password='$encryptpass' AND email='$email'", $connection);
    $rows = mysql_num_rows($query);
    if ($rows == 1) {
        $_SESSION['email']=$email; // Initializing Session
        header("location: test.com/profile.php"); // Redirecting To Other Page
    } else {
        $error = "Email or Password is invalid";
    }
    mysql_close($connection); // Closing Connection
}
}
?>

A few things to note:

Use the [man]password[/man] API instead of directly using sha512. Note that by default it uses bcrypt rather than SHA-512, and indeed bcrypt is specifically intended for hashing passwords.
The salt for password hashing should be user specific. It is okay to have shared additional salt, but that's not enough. Using the password API will handle the user specific salt for you.
magic_quotes_gpc should no longer be on by default, so stripslashes is likely to be unnecessary. But if you do want to use it, then you should only conditionally use it after checking with get_magic_quotes_gpc(), otherwise you risk data corruption.
The legacy MySQL extension should no longer be used. Use the [man]MySQLi[/man] extension instead, along with prepared statements.
Once a user specific salt is involved, you can no longer use your current select query. Rather, you would be selecting the user with the given email, then using the password API to verify the password entered with the password hash retrieved.
When sending the location header, use the absolute URL and then call exit immediately afterwards.
You might want to actually print $error if there is an error. This could explain your blank page problem.