Trying to replace Dreamweaver login

Wappler General
#1

So, I am looking to replace my existing login which was added in DreamWeaver and now use the Server Connect Security to log in the user.

My old DW login used the following,

MM_loginSQL = "SELECT strUserName, strUserPassword"
  If MM_fldUserAuthorization <> "" Then MM_loginSQL = MM_loginSQL & "," & MM_fldUserAuthorization
  MM_loginSQL = MM_loginSQL & " FROM dbo.tblEmployee WHERE strUserName = ? AND strUserPassword =HashBytes('SHA2_512', [charSalt] + ?) AND intEmployeeActive = 1"
  Set MM_rsUser_cmd = Server.CreateObject ("ADODB.Command")
  MM_rsUser_cmd.ActiveConnection = MM_PaymentPlusCRM_STRING
  MM_rsUser_cmd.CommandText = MM_loginSQL
  MM_rsUser_cmd.Parameters.Append MM_rsUser_cmd.CreateParameter("param1", 200, 1, 30, MM_valUsername) ' adVarChar
  MM_rsUser_cmd.Parameters.Append MM_rsUser_cmd.CreateParameter("param2", 200, 1, 30, Request.Form("password")) ' adVarChar
  MM_rsUser_cmd.Prepared = true
  Set MM_rsUser = MM_rsUser_cmd.Execute

You will see it validated the user using WHERE strUserName = (Username inputted into the form) AND strUserPassword =HashBytes('SHA2_512', [charSalt] + (Password inputted into the form))

I first get the Salt value from the DB for the user as this value is different for every user.

I tried query_getSalt.charSalt + $_POST.password.sha512() and I keep getting Unauthorized.

How would I replicate this HashBytes for the login?

Thanks
Ray

#2

It needs some extra brackets

(query_getSalt.charSalt + $_POST.password).sha512()
#3

Hi Patrick,

I have created an example record in MS SQL so that you can see the data.

When I try that I get the following output.
7838fab91504eee28ab4a926722e9429decb12c1e1f69a3199110dc7a068ecb2bf71c5f96eae6c2514d3b2d56fdfd7276015738e53cdb5158ab63e11af9ed6ca

image
image598×792 23.8 KB

image
image971×92 9.35 KB

I know I can fix the case by using uppercase(), but still won’t give me the same value.

If I run the select in MS SQL I get the following.

0x37559ECE93C880E6951A2AB115945D017A37F598D9CCE70857C5703B40E1A384AA714E390596B011EA4728CAF5D0D10AECD8D5B098643E92BE5A48323EF3E5A9

Heres the MS SQL select validating the above.

image
image1077×271 14.2 KB

Thanks Ray.

#4

If the hashing happens in SQL server, why not get directly the hashed version there instead of trying to generate the same result in the server action. Instead of just getting the charSalt from the database just get the hash SELECT HashBytes('SHA2_512', [charSalt] + ?) AS strUserPassword and then give that to the security provider.