Thursday, March 29, 2012

finding hidden chars in sql query


I am working on a login system in flex and asp. I am encrypting the password before it is inserted it into the SQL database. But then when i do SELECT statement with username and encrypted password it returns 0 users found.
I outputted the sql statement and they passwords look excatly the same. But the SQL Select count(*) returns a 0.

link to the encrypting is used:
http://www.4guysfromrolla.com/webtech/110599-1.2.shtml

other information:
script language: asp + flex
database: sql server 2005

So i am thinking that their are hidden chars in the password. Is their a way to check this or even convert/exclude them ?
Any links or tips would be very helpfull

Use the sample to solve your issue...

Alter Function dbo.En_De_Crypt(@.Input varchar(max), @.Key int ) Returns Varchar(Max) as

Begin

Declare @.Len as Int;

Declare @.I as Int;

Declare @.Output as Varchar(max)

Select @.Len = Len(@.Input), @.I =1, @.Output=''

Declare @.Number Table (N int);

While(@.I<=@.Len)

Begin

Insert into @.Number Values(@.I);

Set @.I = @.I + 1;

End

Select @.Output = @.Output + Char(Ascii(Substring(@.Input,N,1)) ^ @.Key)

From @.Number

return @.Output

End

Go

Create Table #Passwords(

Password varchar(20)

);

Insert Into #Passwords Values(dbo.En_De_Crypt('One1234$$',100));

Insert Into #Passwords Values(dbo.En_De_Crypt('M1cr0$0ft',100));

Insert Into #Passwords Values(dbo.En_De_Crypt('Or@.c1e',100));

Insert Into #Passwords Values(dbo.En_De_Crypt('@.pp1e',100));

Select dbo.En_De_Crypt(Password,100) ,Password From #Passwords

/*

Orginal value Decrypted Value

One1234$$ + _VWP@.@.

M1cr0$0ft )Up'16T@.T '10

Or@.c1e +_$p_par

@.pp1e $__U_par */

--None of the query will return the data here..

Select Count(*) From #Passwords Where Password = '+

_VWP@.@.'

Select Count(*) From #Passwords Where Password = ')Up'16T@.T '10'

Select Count(*) From #Passwords Where Password = '?_p$'

Select Count(*) From #Passwords Where Password = '$__U_par'

--Use the following query to get the result..

Select Count(*) From #Passwords Where dbo.En_De_Crypt(Password,100)='M1cr0$0ft'

|||thnx Manivannan for the reply.
i will try it out.
Posted by contentvbny at 11:48 PM
Labels: , , , , , , , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)