Compare password of webpages_membership in SQL Server query

前端 未结 1 419
醉梦人生
醉梦人生 2021-01-24 07:49

I have a web application done in ASP.NET MVC 4. It has users, that are stored in SQL Server database in tables webpages_UserProfile and webpages_Membership

1条回答
  •  梦毁少年i
    2021-01-24 07:59

    Let's look at the second argument to PwdCompare (emphasis mine):

    password_hash
    Is the encryption hash of a password. password_hash is *varbinary(128)*.

    So, if your column is storing the password in plain text, or is storing a string representation of the binary hash, it's not going to work. You should either change the column to be correct or you will need to convert it first, e.g. check this script:

    SELECT PWDENCRYPT(N'mypassword');
    

    Yields:

    0x0200D422C0365A196E308777C96CBEF3854818601DDB516CADA98DBDF6A5F23922DC0FADD29B806121EA1A26AED86F57FCCB4DDF98F0EFBF44CA6BA864E9E58A818785FDDEDF

    If we try to compare that value as a string, we get 0:

    SELECT PWDCOMPARE(N'mypassword', N'0x0200D422C0365A196E308777C96CBEF3854818601DDB516CADA98DBDF6A5F23922DC0FADD29B806121EA1A26AED86F57FCCB4DDF98F0EFBF44CA6BA864E9E58A818785FDDEDF');
    

    If we try to compare it as a varbinary value, we get 1:

    SELECT PWDCOMPARE(N'mypassword', 0x0200D422C0365A196E308777C96CBEF3854818601DDB516CADA98DBDF6A5F23922DC0FADD29B806121EA1A26AED86F57FCCB4DDF98F0EFBF44CA6BA864E9E58A818785FDDEDF);
    

    If you can't fix the table, then you can perform this expensive explicit conversion in your query every time (note that the trailing ,1 is important):

    SELECT PWDCOMPARE(N'mypassword', 
      CONVERT(VARBINARY(128), N'0x0200D422C0365A196E308777C96CBEF3854818601DDB516CADA98DBDF6A5F23922DC0FADD29B806121EA1A26AED86F57FCCB4DDF98F0EFBF44CA6BA864E9E58A818785FDDEDF'
      , 1));
    

    0 讨论(0)
提交回复
热议问题