0

What would the SQL statement be to validate a password if the MySql table that looks like this:

user_id   password     salt
-------   --------     ----
 1         23ed2...    m9f3m...

I tried:

select * from password_table 
where user_id = 1 
and password = shal(`salt` + 'password') 
order by id desc 
limit 1

which did not return anything. The algorithm is sha512 whirlpool.

In php it goes like this:

hash('sha512', hash('whirlpool', $password));

It is possible that it can't be done in an sql statement.

Artjom B.
  • 61,146
  • 24
  • 125
  • 222
lilbiscuit
  • 2,109
  • 6
  • 32
  • 53
  • 3
    You should never use a simple hash function to protect your user's passwords. You need to use a strong hashing scheme like PBKDF2, bcrypt, scrypt and Argon2. Be sure to use a high cost factor/iteration count. It is common to choose the cost so that a single iteration takes at least 100ms. See more: [How to securely hash passwords?](http://security.stackexchange.com/q/211/45523) – Artjom B. Sep 28 '16 at 18:39

1 Answers1

1

You cannot securely hash and verify passwords with an SQL-Statement, because salted hashes cannot be searched for, and because most databases do not offer appropriate hash functions.

Instead use a hash function like BCrypt, SCrypt or PBKDF2 from your development language. For verification first search for the hash by username/id only, and afterwards verify the found hash with the development language again.

martinstoeckli
  • 23,430
  • 6
  • 56
  • 87