Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 262
  • Last Modified:

some passwords cause query to return results, but some do not

some passwords are sha1 other passwords are plain text
do not want to convert the plain text passwords because we want to see some passwords (I know it could be a security risk)

SELECT * FROM users WHERE (email='email' AND (pass='stravinsky1' or pass=SHA1('stravinsky1')))

but this does not work for
sha1(stravinsky1)
fc9bc17eea70a9c148869aca6414ddc4dc29e193

but when we convert password to sha1

SELECT * FROM users WHERE (email='email' AND (pass='fc9bc17eea70a9c148869aca6414ddc4dc29e193' or pass=SHA1('fc9bc17eea70a9c148869aca6414ddc4dc29e193')))
 no results returned (so user can not log in)


select sha1('12345')
8cb2237d0679ca88db6464eac60da96345513964

SELECT * FROM users WHERE (email='email2' AND (pass='8cb2237d0679ca88db6464eac60da96345513964' or pass=SHA1('8cb2237d0679ca88db6464eac60da96345513964')))

this query returns results

so password 12345 can be plain text or converted to sha1 and still work

so some passwords work using this query, others do not
0
rgb192
Asked:
rgb192
1 Solution
 
Robert SaylorSenior DeveloperCommented:
I assume you are using php?

Why not use MD5 to encrypt it to the database then let php change it from cleartext to MD5 then compare apples to apples at MySQL?
0
 
Jagadishwor DulalBraces MediaCommented:
Try using sh1 to field name like:

SELECT * FROM users WHERE (email='email' AND (pass='stravinsky1' or SHA1(pass)='stravinsky1'))

Open in new window

0
 
Ray PaseurCommented:
Please post a few rows of test data showing both the clear-text password and the SHA1 password.  Please tell us how you encoded the SHA1 fields -- was it done in PHP or in SQL?
0
 
rgb192Author Commented:
password can be plaintext or hidden now

thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now