- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
I don't blame you.
BTW- I spent many an inebriated weekend in Charlotte (in the 90's) and can say you're in a pretty nice location as well.
Admin
Admin
Admin
Admin
Admin
Admin
Admin
Seems to me they are storing it in the database as plain text but pulling it out encrypted. If this is the case, and it looks that way from the query, then this is bad.
Admin
Very much so.
Until two things change, we'll always see horror stories like this.
Question to clever bosses: "If I was an Indian programmer with all the grand powers over time and space to deliver five-six figure high-order solutions on a four figure budget, why f**ing why in God's name would I be stuck here paid by the Rupee doing this sht for you cheap a-holes?"
Admin
Now contrast this with:
SHA1 falls in the latter category. Which is also why it's not called "enhash" and "dehash", because a hash is not encryption.
Admin
//how i fix it, first whipe php, there is [node_js|asp_net|jsp], second only [oracle|sqlserver|db2] are true relational databases. //second put 2 columns, digest and salt //thirt, dont pass the password in querystring, never. //dont forget to put ssl
var result = dbutil.executeDataTable ( conn, "SELECT * FROM users " . " WHERE passwordigest = HASHBYTES('sha1', passwordsalt + @pwd )", Request.Form.Item["password"] );
Admin
//how i fix it, first whipe php, there is [node_js|asp_net|jsp], second only [oracle|sqlserver|db2] are true relational databases. //second put 2 columns, digest and salt //thirt, dont pass the password in querystring, never. //dont forget to put ssl
var result = dbutil.executeDataTable ( conn, "SELECT * FROM users " . " WHERE passwordigest = HASHBYTES('sha1', passwordsalt + @pwd )", Request.Form.Item["password"] );
Admin
only one or two folks seem to be aware that the Secure Hashing Algorithm does what is says on the tin, and hashes. it has nothing to do with encryption.
Admin
Admin
Can someone explain "Nagesh"? Is that a person?
Admin
What's even worse than this being stored in plain-text, is the fact that the database has to calculate a hash on every single row in the table in order to return the result. That is not a quick query!
Admin
Most people are missing the point that SHA1 is NOT encryption, it is a HASH function.
If something is encrypted, then it can be un-encrypted, you cannot take a SHA1 Hash and directly recover the original string because SHA1 is a HASH function.
What you can do is take a plain text string and run it through SHA1 to compare the resultant hash, but that is NOT decryption of the original SHA1 string.
Since it is a hash, this may mean that there may be multiple Key clashes due to weaknesses in the mathematics used to generate SHA1.
Admin
I'm so used to using parameterized queries that I didn't actually see the security hole until this comment. This code isn't just poorly written, it's an outright liability...
Admin
Encryption is when you are able to recover the plain text you encrypt. SHA1 is hashing function and by construction is a 'one-way' function. So you won't be able to recover the plain text from its digest.
Admin
Admin
The passwords are in clear text, because it's using SHA1 both sides of the assignment, but is not SQL-injectable, at least not in this queries, because any text inserted will be converted in a hex number.
Admin
Law should be like a battle card game.
Contractor: As per the contract (rustles paper), you've triggered my trap clause!!!
Employer: Which triggers my double entendre which also stands as a "no liability" for work done clause.
Contractor: Except I own 20% of the web land valley share. Which means I get vote on web allocation, and so I threaten to polymorph your adspace into ponies.
Employer: We submit out of court settlement. 80% of pay par contract, 20% in futures.
Contractor: Deal!
Admin
I know that this is an old post but I'm a little confused why everyone is making such a fuss. The SHA1 is doing nothing but I can see no way to inject SQL by a hacker to gain access. Have I missed something?
Admin
Fast, cheap, good: pick two. Unless one of then is "good." Then you only get to pick one.