rgb192
asked on
some passwords cause query to return results, but some do not
some passwords are sha1 other passwords are plain text
do not want to convert the plain text passwords because we want to see some passwords (I know it could be a security risk)
SELECT * FROM users WHERE (email='email' AND (pass='stravinsky1' or pass=SHA1('stravinsky1')))
but this does not work for
sha1(stravinsky1)
fc9bc17eea70a9c148869aca64 14ddc4dc29 e193
but when we convert password to sha1
SELECT * FROM users WHERE (email='email' AND (pass='fc9bc17eea70a9c1488 69aca6414d dc4dc29e19 3' or pass=SHA1('fc9bc17eea70a9c 148869aca6 414ddc4dc2 9e193')))
no results returned (so user can not log in)
select sha1('12345')
8cb2237d0679ca88db6464eac6 0da9634551 3964
SELECT * FROM users WHERE (email='email2' AND (pass='8cb2237d0679ca88db6 464eac60da 9634551396 4' or pass=SHA1('8cb2237d0679ca8 8db6464eac 60da963455 13964')))
this query returns results
so password 12345 can be plain text or converted to sha1 and still work
so some passwords work using this query, others do not
do not want to convert the plain text passwords because we want to see some passwords (I know it could be a security risk)
SELECT * FROM users WHERE (email='email' AND (pass='stravinsky1' or pass=SHA1('stravinsky1')))
but this does not work for
sha1(stravinsky1)
fc9bc17eea70a9c148869aca64
but when we convert password to sha1
SELECT * FROM users WHERE (email='email' AND (pass='fc9bc17eea70a9c1488
no results returned (so user can not log in)
select sha1('12345')
8cb2237d0679ca88db6464eac6
SELECT * FROM users WHERE (email='email2' AND (pass='8cb2237d0679ca88db6
this query returns results
so password 12345 can be plain text or converted to sha1 and still work
so some passwords work using this query, others do not
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Please post a few rows of test data showing both the clear-text password and the SHA1 password. Please tell us how you encoded the SHA1 fields -- was it done in PHP or in SQL?
ASKER
password can be plaintext or hidden now
thanks
thanks
Why not use MD5 to encrypt it to the database then let php change it from cleartext to MD5 then compare apples to apples at MySQL?