Java PreparedStatement: Binding Parameter to HASHBYTES

Question

Right now, I have the prepared statement below, which works:

SELECT email, password
FROM Professor 
WHERE email = ? AND password = HASHBYTES('SHA1','" + password + "') 

p.setString(1, email);

But when I try to parameterize the value to be encrypted by HASHBYTES (in this case, the variable 'password'), there is some kind of reading/type/conversion error that does not return results. This is the code that doesn't work:

SELECT email, password
FROM Professor 
WHERE email = ? AND password = HASHBYTES('SHA1', ?) 

p.setString(1, email);
p.setString(2, password);

I get no error message at all; the resultset returns "-3" in the rowCount property. I'm using SQL Server.

Passing the 'password' placeholder like this: '?' doesnt work either. What would be the correct way to parameterize this query?

What error message, if any, are you getting? What SQL server are you talking to? (MySQL, SQL Server, Oracle?) — Ian McLaird, Apr 26 '16 at 19:10
No error message at all. The resultset returns "-3" in the rowCount property, if that helps. I'm using SQL Server. I'll add this information to the question. — KarasuEXE, Apr 26 '16 at 19:28

Ramon Chiara · Accepted Answer · 2023-02-26T01:44:06.607

2

Using the information you all pointed out and researching about how to convert types in SQL Server, I've came to the following code:

select email, password
  from Professor
 where email = ?
   and password = hashbytes('sha1', convert(varchar, ?))

Please, verify if it works for you!

edited Feb 26 '23 at 01:44

answered May 09 '16 at 03:22

Ramon Chiara

616
6
8

score 0 · Answer 2 · edited May 23 '17 at 10:28

0

Look at this SQL Server sha1 value in prepared statement gives a different value than hardcoded string

p.s answer in this way, because I can not text comment yet.

edited May 23 '17 at 10:28

Community

1
1

answered Apr 26 '16 at 19:58

Anton Vetrov

52
6

Thank you for your input. It seems that the difference between VARCHAR and NVARCHAR SQL Types might be the key to the answer. However, I tried changing the variable type in many ways (setNString, Types.NVARCHAR) and even tried to change the query to `WHERE email = ? AND password = HASHBYTES('SHA1', N?) `, but no success. Can you help me formulating the necessary changes? – KarasuEXE Apr 29 '16 at 00:05

Java PreparedStatement: Binding Parameter to HASHBYTES

2 Answers2