Retrieving password whereby "SH1" - sha1

My table contains a column "pass" for encrypted passwords inserted as "SHA1('$password')".
I want to retrieve that column to see both:encrypted password and "original" password so I wrote the following code:
<?php
$sql = "SELECT `fname`, `email`, `pass` FROM `list`";
$result = $dbcon->query($sql);
while ($row = $result->fetch_array(MYSQLI_NUM))
{
echo "{$row[2]}. 'encoded:'. {SHA1($row[2])}<br>";
}
$dbcon->close();
?>
I only get encoded passwords.
I there a way I can see "real passwords" in my table?
Thanks

No, you cannot see the real passwords. That's the purpose for using a hash function. But hashing alone is not enough. These two sources will give in depth explanation of what you should be doing any WHY:
CrackStation.Net
Thomas Pornin

SHA-1 is a one-way hash, meaning that you can't get back the original value after performing the hashing. In a situation like yours, where you are storing passwords, that's a very-very good thing, since you shouldn't be able to read plain-text passwords.

Related

RoR Encryption and Decryption for query string

I've been searching for the past few days about encrypting some data to use on the URL.
I basically have 3 strings and i need to encrypt then on a unique token.
eg: code: '12345678' email: 'teste#encrypt.com' name: 'nameTest'
This will be join together as code%email%name and i need to encrypt them.
What's the best way to do it as i need to pass the encrypted string on the URL for the other server to decrypt? The algorithms i've used all put some form of '/\=' and i guess that probably may cause problems
Thanks for the help
In 2019, URI.encode is obsolete and should not be used
If you want safely put encrypted string into url without problems with special characters then you could use CGI.escapeor ERB::Util.url_encode for this purpose.
require 'erb'
ERB::Util.url_encode("Hello world")
#=> "Hello%20world"
Rails will decode automatically when receiving
If you want something simple that encodes and hide raw data which could be decoded somewhere later and verified then you could use MessageVerifier provided by active support:
#verifier = ActiveSupport::MessageVerifier.new('s3Krit')
cookies[:remember_me] = #verifier.generate([#user.id, 2.weeks.from_now])
id, time = #verifier.verify(cookies[:remember_me])
http://api.rubyonrails.org/classes/ActiveSupport/MessageVerifier.html
http://ngauthier.com/2013/01/rails-unsubscribe-with-active-support-message-verifier.html
If you want true encryption then you could look into such project. It uses OpenSSL:
http://rocketjob.github.io/symmetric-encryption/

Parse id in URL in encrypted form to prevent sql injection

snatching my hair to fix this problem but I can't.
I am parsing id in url to pull data on next page according to that id. So rather than parsing id=123 I encrypted it something like process.php?token=TG4n6iv_aoO7sU3AngFY4WLSppLvueEoh-MnYE6k7NA, and decrypted it on process.php page by collecting it with $_GET, before using it in sql query. This is not proper URL, I need url like process.php?token=9878799889 and I need to decrypt this 9878799889 on process.php which would give me my original user id.
So here I can not use md5 or base64_encode which give me ugly string.
What would be best thing to do here?
id is unique so generated long digits should be unique as well and not easy to guess.
Right now I am using encrypt logarithm with salt. Actually want to parse like www.sitename.com/process/token/9878799889..this can be achieve with .htaccess so not worried about it..
Any help will be much appreciated..
What you could do is add an association table in your databse, which would contains a UUID as primary key (a randomly generated number) and your true ID reference (and other information you may want to store there, like a "valid until" date or other things...)
You'd have to generate the entry in that table as you parse the UUID
let's say INSERT INTO uuid_table (uuid, real_id) VALUES (9878799889, 123);
now when you process the url process.php?token=9878799889
you would only have to SELECT real_id FROM uuid_table WHERE uuid=9878799889;
it would retern the read id 123
You should also DELETE FROM uuid_table WHERE uuid=9878799889 when you're done.
Note that it would also work with md5 or base_64, but indeed it makes the url uglier.

storing password textfield in database C#

I'm trying to write a simple ASP.Net app that allows the users to log in with their username and password. I'm using an EF database in the .NET Framework 4, coding in C#. My problem is, when the user registers their details on the registration page, their password value does not save. That textfield is a password field.
How can I save the passwords actual value in the database, but keep the textfield as password? Would I need to encrypt it? I've never done encryption, so any help would be appreciated. Thanks
You should use some cryptographic algorithm to compute the hash for password string (see Hash string in c#). Then store it as byte array or encoded string (like hex or base64) in db.

how to store hashed passwords generated from erlang

I used crypto:sha/1 to hash passwords in my erlang application.
Should I store the binary obtained directly in mnesia or should i convert them to hex string before?
Using crypto:sha/1 for hashing passwords is dangerous. At least have a salt, but preferably, use say scrypt, bcrypt or pbkdf2 for storing passwords like this. They are resilient to a number of attacks. Unfortunately, I know of no Erlang-support for those :/
Use https://github.com/smarkets/erlang-bcrypt to do the hashing rather than SHA1 or MD5.
One could get an Hmac SHA256 hex Digest or MD5 Digest of a password from a front-end application, create a hash using the erlang method and then store this hash. For example, if i had a web application, i ask for password from users, right at account creation or at login, i use javaScript to create an MD5 Digest of this password and send that along the wire (HTTPS) instead of the actual password. On reaching Erlang, i create a hash of this MD5 Digest from JavaScript and store that as the users password. So each time the user attempts to login on my page, i would do the similar process and then compare the hash output of his entry with the one that was stored. Read more on SHA256 HMac Digest by looking at the solutions to this question: HMAC SHA256 hex digest of a string in Erlang, how? and this one: Erlang and JavaScript MD5 Digest match
Actually you store tuples (or records, which is the same) in mnesia, but in the fields of that records you can store any term (including binaries). It's not neccessary to convert them to strings.

extract information from particular string

I am new to ruby on rails. I have passed parameters ISDCode,AreaCode and Telephone number using POST from a form.
I have a string with information of the format countryName(ISDCode) passed in the variable ISDCode. For example "United States of America(+1)".
Now I want to save only the value of the ISDCode in the database.
What would be the ideal way to extract the ISD Code from the string?
Should I extract the ISD Code in Javascript before user POSTs the form or should I extract it in the model using a callback ?
Also is regex the only way to extract the information?
Since the string is from auto completion, the ISDcodes should be existing in your database. So the best solution may be including an extra parameter (with a hidden input), like isdcode_id, then you simply use isdcode_id in your model. This way you can avoid the trouble to parse the string.
If this is not feasible, regex could be the best way to extract the information. You can override the setter in the model to do it.
use regular expression to match ISDcode
"United States of America(+1)" =~ /(\+[\d]+)/
puts $1
If you are interested in getting just the ISD Code alone, this should work:
"United States of America(+1)".gsub!(/[^\+\d]/, "")
NB: You can have this in your view helper and just call the helper on the string before persistence
Already answered, but I'd like to offer an alternative to getting the ISD Code:
isd = "United States(+1)"
puts isd[/[+]*[\d]{1,4}/] # +1
This regexp matches:
0001
+1
+01
etc.
I prefer to use js to extract information in the client side and make a validation in the model. By this way, you can get what you want and make sure it's correct.

Resources