All geek questions in one place

A hashed password is sometimes longer than 128 characters

I had a strange security issue, lately I get regular but intermittent errors when trying to insert hashed passwords into the SQL Server database field, which is nvarchar (130):

<cfqueryparam value="#hashpass#" cfsqltype="cf_sql_char" maxLength="130">

The hashpass variable is set this way:

 <cfset hashpass = Hash(arguments.password & getsalt.user_salt, "SHA-512")>

Surprisingly, how is it possible for the SHA-512 hash to be longer than 128 characters when the documentation states that it should always be 128 for sure? Here is the ColdFusion 10 error:

[Macromedia] [SQLServer JDBC Driver] [SQLServer] String or binary data will be truncated.

+6
source share
1 answer

It seems your problem is at the database level, since ColdFusion does not perform a maxlength check on the maxlength tag and allows the query to be executed. I just tested trying to pass a string that exceeds the length specified in the maxlength attribute (on CF10) and get an error:

 The cause of this output exception was that: coldfusion.tagext.sql.QueryParamTag$InvalidDataException: Invalid data value this-is-a-string-that-is-too-long exceeds maxlength setting 10..`

As Adam Cameron mentioned in the comments on the question, it seems likely that another field appears in your request that throws an error.

Since the hashed password will be 128 characters long - is there a reason why you check 130 characters?

+3
source

Source: https://habr.com/ru/post/988275/

More articles:


All Articles