Solved

some passwords cause query to return results, but some do not

Posted on 2013-06-12
4
213 Views
Last Modified: 2013-06-23
some passwords are sha1 other passwords are plain text
do not want to convert the plain text passwords because we want to see some passwords (I know it could be a security risk)

SELECT * FROM users WHERE (email='email' AND (pass='stravinsky1' or pass=SHA1('stravinsky1')))

but this does not work for
sha1(stravinsky1)
fc9bc17eea70a9c148869aca6414ddc4dc29e193

but when we convert password to sha1

SELECT * FROM users WHERE (email='email' AND (pass='fc9bc17eea70a9c148869aca6414ddc4dc29e193' or pass=SHA1('fc9bc17eea70a9c148869aca6414ddc4dc29e193')))
 no results returned (so user can not log in)


select sha1('12345')
8cb2237d0679ca88db6464eac60da96345513964

SELECT * FROM users WHERE (email='email2' AND (pass='8cb2237d0679ca88db6464eac60da96345513964' or pass=SHA1('8cb2237d0679ca88db6464eac60da96345513964')))

this query returns results

so password 12345 can be plain text or converted to sha1 and still work

so some passwords work using this query, others do not
0
Comment
Question by:rgb192
4 Comments
 
LVL 7

Expert Comment

by:Robert Saylor
ID: 39240807
I assume you are using php?

Why not use MD5 to encrypt it to the database then let php change it from cleartext to MD5 then compare apples to apples at MySQL?
0
 
LVL 15

Accepted Solution

by:
Jagadishwor Dulal earned 500 total points
ID: 39240958
Try using sh1 to field name like:

SELECT * FROM users WHERE (email='email' AND (pass='stravinsky1' or SHA1(pass)='stravinsky1'))

Open in new window

0
 
LVL 109

Expert Comment

by:Ray Paseur
ID: 39244717
Please post a few rows of test data showing both the clear-text password and the SHA1 password.  Please tell us how you encoded the SHA1 fields -- was it done in PHP or in SQL?
0
 

Author Closing Comment

by:rgb192
ID: 39270435
password can be plaintext or hidden now

thanks
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
MySQL left join performance 4 38
updating table data with inner join 9 36
sort in mysql based off of query param 4 24
Complex SQL statement in VB.NET 7 15
All XML, All the Time; More Fun MySQL Tidbits – Dynamically Generate XML via Stored Procedure in MySQL Extensible Markup Language (XML) and database systems, a marriage we are seeing more and more of.  So the topics of parsing and manipulating XM…
Does the idea of dealing with bits scare or confuse you? Does it seem like a waste of time in an age where we all have terabytes of storage? If so, you're missing out on one of the core tools in every professional programmer's toolbox. Learn how to …
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question