Link to home
Start Free TrialLog in
Avatar of rgb192
rgb192Flag for United States of America

asked on

some passwords cause query to return results, but some do not

some passwords are sha1 other passwords are plain text
do not want to convert the plain text passwords because we want to see some passwords (I know it could be a security risk)

SELECT * FROM users WHERE (email='email' AND (pass='stravinsky1' or pass=SHA1('stravinsky1')))

but this does not work for
sha1(stravinsky1)
fc9bc17eea70a9c148869aca6414ddc4dc29e193

but when we convert password to sha1

SELECT * FROM users WHERE (email='email' AND (pass='fc9bc17eea70a9c148869aca6414ddc4dc29e193' or pass=SHA1('fc9bc17eea70a9c148869aca6414ddc4dc29e193')))
 no results returned (so user can not log in)


select sha1('12345')
8cb2237d0679ca88db6464eac60da96345513964

SELECT * FROM users WHERE (email='email2' AND (pass='8cb2237d0679ca88db6464eac60da96345513964' or pass=SHA1('8cb2237d0679ca88db6464eac60da96345513964')))

this query returns results

so password 12345 can be plain text or converted to sha1 and still work

so some passwords work using this query, others do not
Avatar of Robert Saylor
Robert Saylor
Flag of United States of America image
I assume you are using php?

Why not use MD5 to encrypt it to the database then let php change it from cleartext to MD5 then compare apples to apples at MySQL?
ASKER CERTIFIED SOLUTION
Avatar of Jagadishwor Dulal
Jagadishwor Dulal
Flag of Nepal image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Ray Paseur
Ray Paseur
Flag of United States of America image
Please post a few rows of test data showing both the clear-text password and the SHA1 password.  Please tell us how you encoded the SHA1 fields -- was it done in PHP or in SQL?
Avatar of rgb192
rgb192
Flag of United States of America image

ASKER

password can be plaintext or hidden now

thanks