Password validation in stored procedure

Question

Password validation in stored procedure

I am having trouble verifying an account in a SQL Server stored procedure. What I do is that I have a hashbyte user password. When he wants to enter his account, I again hashbyte the parameter ( @fPassword ) and compare it with the byte of the hash byte that is in the database. The problem is that I still get a different value.

For instance:

 declare @fPassword nvarchar(4000) set @fPassword = 'sharingan1' IF (CONVERT(NVARCHAR(4000), HASHBYTES('sha1', @fPassword), 1)) <> (select fPassword from CustomerTable WHERE fUserName = 'cesark14') BEGIN print 'b' END else print 'c'

I keep getting 'b' . But when I replace @fPassword with 'sharingan1' , I get 'c' (this is what I want).

Does anyone know why this is

 (CONVERT(NVARCHAR(4000), HASHBYTES('sha1', @fPassword), 1))

where I set @fPassword = 'sharingan1' , different from

 (CONVERT(NVARCHAR(4000), HASHBYTES('sha1', 'sharingan1'), 1))

+4

sql passwords sql-server-2008 stored-procedures

Cesar tejada Aug 10 '13 at 0:49

source share

1 answer

Brian knight · Accepted Answer · 2013-08-10T01:09:14+0000

Your @fPassword variable is NVARCHAR. When you hard-code a string, it is of type VARCHAR. If you put "N" in front of the line, as in "N'sharingan1", they should be equivalent, as this expresses the line as NVARCHAR. Or you can make your own variable of type VARCHAR.

Coding.

Password validation in stored procedure

More articles: