CODEWITHSUNDEEP
sql
user242474
user242474

Reputation: 37

sql help concat

SELECT 
    SHA1(CONCAT(users.salt, '$password')) = users.password
FROM users
WHERE 
    users.username = '$username'

If $username exist this will return true, doesn't matter what password you put in =/

iI only want it to return true if username AND password is correct

What i want is, I want it to take the salt and password, rehash it with sha1 and compare it with user input

What am i doing wrong?

Upvotes: 1

Views: 191

Answers (3)

Shimmy Weitzhandler
Shimmy Weitzhandler

Reputation: 104741

SELECT CAST(1 AS bit)
FROM users
WHERE 
    username = '$username' AND
    SHA1(CONCAT(salt, '$password')) = password

Upvotes: 0

Andomar
Andomar

Reputation: 238086

The password check should be in the where clause:

SELECT 
    'success' as Result
FROM users
WHERE 
    users.username = '$username'
    AND SHA1(CONCAT(users.salt, '$password')) = users.password

This should return a row with a single column if the check succeeds; otherwise, it returns an empty rowset.

Upvotes: 0

Jim Garrison
Jim Garrison

Reputation: 86774

You didn't say which database, but I don't believe you can code a relational expression in a select clause as you have done. Try 

SELECT username
FROM users
WHERE 
    users.username = '$username' and 
    SHA1(CONCAT(users.salt, '$password')) = users.password

If you get a row back the password matched; if no row comes back the password didn't match or the user didn't exist.

Upvotes: 2

Related Questions