select password from login where user = 'billkarwin' Search for the login, and return the password hash string that is stored in the database. It's a hash produced by MySQL's PASSWORD() function, only as strong as a SHA1 hash, which is known to be unsuitable for passwords.)Īctually, my preferred method is not to search for a password at all. (The hash string above is based on your example. But not using the PASSWORD() function - using some application code function. You want to produce the hash string in your app, and then use the hash string in searches, like your first example. That puts the plaintext password into query logs and is not good for security. Putting an expression in quotes means to use that literal string - it won't execute the function and use the result of it.Īgain, you don't want to calculate the hash using SQL anyway. The reason is that you're searching for the string 'password(april)'. Likewise, when you search for a login that has that password, it works if you search for a specific hash string, but this doesn't work: select * from login where password = 'password(april)' - this returns an empty set You don't mention which language you use. mentions a couple of functions that are used by PHP developers, but those won't be the same for other programming languages. Which hashing function you use depends on the language you use to write your application code. Instead, hash the password in your app, and then put the result of that hash into your SQL statement. That is, anyone who can get access to your logs can inspect the passwords. This ends up getting logged in query logs and statement-based binary logs, so it's a security weakness. I wouldn't use password (or any other hashing function) in this way, because you still have the plaintext password in your SQL statement. Values (5, 'TestFName', 'TestLName', 'Test', password('april')) insert into login (Emp_id, Emp_Fname, Emp_Lname, Username, Password) So don't use PASSWORD() - unless you plan to never upgrade to MySQL 8.0.īesides that, you have some problems in your code. This function was removed in MySQL 8.0.11. PASSWORD() is used by the authentication system in MySQL Server you should not use it in your own applications. This function is deprecated as of MySQL 5.7.6 and will be removed in a future MySQL release.
0 Comments
Leave a Reply. |