Encryption without component

Post Reply

Page <123 >

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
MorningZ Members Profile Find Members Posts Senior Member Joined: 06 May 2002 Location: United States Status: Offline Points: 1793	Post Options Post Reply Quote MorningZ Report Post Thanks(0) Quote Reply Posted: 02 May 2003 at 11:23am
	Ah yes, easier than i thought Run against Northwind DB DECLARE @Address nvarchar(60), @EncryptAddress nvarchar(60) SET @Address = '123 Main Street' SET @EncryptAddress = PWDENCRYPT(@Address) INSERT INTO Employees (LastName, FirstName, Address) VALUES ('Doe', 'John', @EncryptAddress) SELECT TOP 1 EmployeeID, LastName, FirstName, Address, Len(Address) As AddressLength FROM Employees ORDER BY EmployeeID DESC SELECT EmployeeID FROM Employees WHERE LastName = 'Doe' AND Address = @Address SELECT EmployeeID FROM Employees WHERE LastName = 'Doe' AND Address = PWDENCRYPT(@Address) The first SELECT shows that you can't "see" whats in the "Address" column and the Length column just shows that something is in there Now notice that the second SELECT brings back no results since the plain address didnt match the encrypted column "address", but the third one did
	Contribute to the working anarchy we fondly call the Internet

Mart Members Profile Find Members Posts Senior Member Joined: 30 November 2002 Status: Offline Points: 2304	Post Options Post Reply Quote Mart Report Post Thanks(0) Quote Reply Posted: 02 May 2003 at 11:48am
	Does that work with a standard access 2000 database or a 'Northwind' one only? Thanks, Martin.

MorningZ Members Profile Find Members Posts Senior Member Joined: 06 May 2002 Location: United States Status: Offline Points: 1793	Post Options Post Reply Quote MorningZ Report Post Thanks(0) Quote Reply Posted: 02 May 2003 at 11:59am
	its a SQL 2000 function, access has nothing like this that i know of (you did say above "SQL")
	Contribute to the working anarchy we fondly call the Internet

Mart Members Profile Find Members Posts Senior Member Joined: 30 November 2002 Status: Offline Points: 2304	Post Options Post Reply Quote Mart Report Post Thanks(0) Quote Reply Posted: 02 May 2003 at 12:10pm
	Oh, it doesn't matter now because I've just found a hash 1 way fuction that I can use (hashs request.form("password") Then pulls out the record). Thanks for all your help anyway, Martin. Edited by Mart

michael Members Profile Find Members Posts Senior Member Joined: 08 April 2002 Location: United States Status: Offline Points: 4670	Post Options Post Reply Quote michael Report Post Thanks(0) Quote Reply Posted: 02 May 2003 at 12:41pm
	Z I am using this encryption for some time now and yes there was a little hole which supposedly has been plugged in sp3. I use that script to authenticate a password: strSQL = "Declare @LoginUser varchar(30) " strSQL = strSQL & "Declare @EncryptedPIN varbinary(255) " strSQL = strSQL & "Select @LoginUser = (Select Username from Logins where Username = '" & Username & "') " strSQL = strSQL & "Select @EncryptedPIN = (Select [Password] from Logins where Username = @LoginUser) " strSQL = strSQL & "Select @LoginUser AS Username, Access, pwdCompare('" & Password & "', @EncryptedPin, 0) AS Success " strSQL = strSQL & "FROM Logins where Username = @LoginUser" Set RS = conn.Execute(strSQL) this just returns either 1 for success or 0 in which case i throw him back and the following to encrypt an entered password: pwdencrypt('" & Password & "') within an insert that is. The field itself i use binary so even there is harder to read out. Works well for me and runs faster then most hash1's I found. Edited by michael
	Blog \| MPG Tracker

MorningZ Members Profile Find Members Posts Senior Member Joined: 06 May 2002 Location: United States Status: Offline Points: 1793	Post Options Post Reply Quote MorningZ Report Post Thanks(0) Quote Reply Posted: 02 May 2003 at 12:43pm
	as a final note on this topic if you are using SQL Server like you said, i am not sure how anything easier than: Changing: SELECT * FROM UserInfo WHERE Username = Entered Username AND Password = Entered Password To: SELECT * FROM UserInfo WHERE Username = Entered Username AND Password = PWDENCRYPT(Entered Password) Or Changing: INSERT INTO UserInfo (Username,Password) VALUES (Entered Username, Entered Password) To: INSERT INTO UserInfo (Username,Password) VALUES (Entered Username, PWDENCRYPT(Entered Password)) no extra functions to slow you down, no muss, no fuss... that's it! but alas, not my programming, i can only offer advice/help
	Contribute to the working anarchy we fondly call the Internet

Mart Members Profile Find Members Posts Senior Member Joined: 30 November 2002 Status: Offline Points: 2304	Post Options Post Reply Quote Mart Report Post Thanks(0) Quote Reply Posted: 03 May 2003 at 2:46am
	Hi, before I just found out that I wouldn't have access to SQL. Is it possible to use your function with an access database? Thanks, Martin.

michael Members Profile Find Members Posts Senior Member Joined: 08 April 2002 Location: United States Status: Offline Points: 4670	Post Options Post Reply Quote michael Report Post Thanks(0) Quote Reply Posted: 03 May 2003 at 9:42am
	Z, it does not really wqork like that as the password with pwdencrypt is always different. It uses a time value as salt, try it in query analyzer, every time you encrypt it the pw will be different. Mart, there is no builtin function in access, you would habe to use an asp hash function like this forum does.
	Blog \| MPG Tracker

Post Reply	Page <123 >

Forum Jump

Forum Permissions View Drop Down

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot delete your posts in this forum
You cannot edit your posts in this forum
You cannot create polls in this forum
You cannot vote in polls in this forum