Sha1 not working for validation

[eluser]USCTrojans[/eluser]
Hello, I keep running into problems getting acquainted with code igniter and this forum has been great, I appreciate the help.

For some reason sha1 security is not working properly for me while I try to validate information to log users in. I have a login controller and a creation controller but for some reason when I use sha1 the login controller will not validate. However, when I use md5 it works perfect.

Here's my login model

Code:

class Login_model extends CI_Model {

function __construct()
  {
   parent::__construct();
   $this->load->library('encrypt');
  }


function validate()
  {  
   $this->db->where('email_address', $this->input->post('email_address'));
   $this->db->where('password', md5($this->input->post('password')));
   $validated_login_credentials = $this->db->get('user_credentials');
   if($validated_login_credentials->num_rows == 1)
    {
     return $validated_login_credentials->row_array();
     return true;
    }
  
  }

and here's my profile creation controller

Code:

<?php

class Create_profile_model extends CI_Model
{

  function __construct()
   {
    parent::__construct();
    $this->load->library('encrypt');
   }

   function validate_creation()
   {
      $new_user_credentials = array(
      'first_name' => $this->input->post('create_first_name'),
      'last_name' => $this->input->post('create_last_name'),
      'email_address' => $this->input->post('create_email_address'),
      'password' => md5($this->input->post('create_password')),
      );
      
    $this->db->where('email_address', $this->input->post('create_email_address'));
    $validated_creation_credentials = $this->db->get('user_credentials');
     if ($validated_creation_credentials->num_rows !==0)
      {
       return false;
      }
     else
      {
       $insert = $this->db->insert('user_credentials', $new_user_credentials);
       return $insert;
      }
   }
}



?>

this works great right now but if i go and replace the sha1 it kills the login. the create user controller works fine...any ideas what may be going on? I have a 32 character encryption key set in config.php

thanks

[eluser]Jason Stanley[/eluser]
You realise that md5 and sha1 are two completely different hashes right? The user passwords are hashed with md5.

md5($password) != sha1($password)

You are going to need to add a 'hash_type' field to your user table. New users and users resetting their passwords should use sha1 or whatever. Old users should use md5. This would allow you to use the correct hashing algorithm on the correct password.

[eluser]USCTrojans[/eluser]
I don't have my site up yet, I'm still learning the framework. What I meant was that I had done that, I put SHA1 where the md5 is in each controller and it still did not work properly. for some reason when I used sha1 in my login it added extra letters or something to the password and would not validate. I had echoed out the password with sha1 in the login and upon comparing it the same password sha1 in mysql found that there were a 4 characters added to the end.

Any help as to what is going on now would be greatly appreciated

[eluser]Philip Kavanagh[/eluser]
A quick solution

Code:

public function prep_password($pw)
{
    return sha1($pw . $this->config->item('encryption_key'));
}

public function compare_passwords($pw, $databasepw)
{
    return ($databasepw === $this->prep_password($pw)) ? TRUE : FALSE;
}

Check

Code:

if($this->compare_passwords($pw, $databasepw))
{
    //passwords match!
}

[eluser]CroNiX[/eluser]
Well, if the passwords were originally stored in the db with md5 you won't be able to use sha1 to compare them until you remove the md5 hash and reinsert them with a sha1 hash of the original password instead.