#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2004
    Posts
    58
    Rep Power
    10

    How to Use HashBytes with msSQL/PHP


    My client is moving from mySQL to MS SQLSRV, so I'm going thru and updating all the sql statements.

    But I need help with this one. The current code uses "SHA1". I understand that sqlsrv needs to use the command "HashBytes", but I can't seem to get it right.

    Here is the current code that works with mySQL/PHP.

    $user_select = " SELECT users.Email, users.Name, users.AccountType FROM helicap.users WHERE users.Email = '$email' AND users.Password = SHA1('$pass')"; $user_result = mysql_query($user_select) or die(mysql_error());
    How can I make this work with MS SQLSRV?

    I've tried doing ...Password = HASHBYTES('SHA1', '$pass')"; but I'm missing something. Any help would be greatly appreciated!
  2. #2
  3. Come play with me!
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    13,749
    Rep Power
    9397
    HASHBYTES

    You're halfway there. HASHBYTES returns actual binary data, not the hex encoding of the bytes like SHA1 does.
    a) Convert the passwords to be binary columns and use binary data.
    b) Grab the SHA-1 hash using PHP instead of the database.
    c) Use CAST/CONVERT after HASHBYTES. Scroll down to the "Binary Styles" section for more.

    Also, SHA-1 by itself is not secure. You need to do more with the passwords to keep them safe.
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2004
    Posts
    58
    Rep Power
    10
    Thanks for the direction! Much appreciated.

    Originally Posted by requinix
    HASHBYTES

    You're halfway there. HASHBYTES returns actual binary data, not the hex encoding of the bytes like SHA1 does.
    a) Convert the passwords to be binary columns and use binary data.
    b) Grab the SHA-1 hash using PHP instead of the database.
    c) Use CAST/CONVERT after HASHBYTES. Scroll down to the "Binary Styles" section for more.

    Also, SHA-1 by itself is not secure. You need to do more with the passwords to keep them safe.
  6. #4
  7. Come play with me!
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    13,749
    Rep Power
    9397
    In case it wasn't clear, those (a) (b) (c) options were exactly that: options. Not steps. Normally I mention that but this time I didn't. You can pick any one of those to use.

IMN logo majestic logo threadwatch logo seochat tools logo