New topic: How to use SQL Select for Encrypted data
<http://forums.realsoftware.com/viewtopic.php?t=45979> Page 1 of 1 [ 4 posts ] Previous topic | Next topic Author Message tseyfarth Post subject: How to use SQL Select for Encrypted dataPosted: Mon Nov 19, 2012 11:22 am Joined: Sat Dec 04, 2010 9:14 pm Posts: 740 Hello all, I just started working with encrypted data and have run up against a problem. I use the Einhuger plugin, which works perfectly. My issue is, using SQL SELECT against the PW data that is saved in the database. Dim osql as new cSmartSQL dim p as string = Passwrd If Dec = True Then Passwrd = Encryption(Passwrd, True) osql.StatementType = eStatementType.Type_Select osql.AddTable"users" osqL.AddFieldS "lname","fname","loginid","pw","permission_level","custom_layout", "connex_corp_login", "connex_master_pw", "connex_ui_id", "connex_user_pw", "device_cpu_serial", "connex_corpid", "connex_user_login", "connex_ip", "rowid" osql.ClearWhereClause osql.AddComplexWhereClause = "users.loginid="+ SQLs(UsrID)+ " AND users.pw="+ SQLs(Passwrd) Einhuger recommends using randam data as shown in the code below. This is good, but also bad. The encrypted output is different each time, by design. So while it is decoded properly each time, it is never Encoded the same way twice. // Add 15 extra bytes to ensure that Twofish will encrypt the // entire string if its not dividable by 16 // For maximum security then those characters should be random generated // and not a constant like we show it here myString=myString+ RandomGenerator(15, 126) // add 15 exta bytes max value of 126 So the question is, what is the best way to use the randomizing AND to still be able to get work with SQL SELECTs to match the encrypted data? Thank you, Tim Top Thom McGrath Post subject: Re: How to use SQL Select for Encrypted dataPosted: Mon Nov 19, 2012 11:34 am Site Admin Joined: Tue May 06, 2008 1:07 pm Posts: 1249 Location: Greater Hartford Area, CT Select the record by login id, then decrypt the password and compare. But I would avoid encrypting passwords. If you can decrypt a password, so can a hacker. Hashing is a better idea. _________________ Thom McGrath - @tekcor Web Framework Architect, Real Software, Inc. Top tseyfarth Post subject: Re: How to use SQL Select for Encrypted dataPosted: Mon Nov 19, 2012 11:45 am Joined: Sat Dec 04, 2010 9:14 pm Posts: 740 Thanks Thom, But what is the difference between Hashing and Encryption? Tim Top Bob Keeney Post subject: Re: How to use SQL Select for Encrypted dataPosted: Mon Nov 19, 2012 11:49 am Joined: Fri Sep 30, 2005 11:48 am Posts: 3280 Location: Lenexa, KS Just found this article this morning. Thought it was very informative: http://crackstation.net/hashing-security.htm _________________ Bob K. Get true Word Processing in your Real Studio applications with Formatted Text Control at http://www.bkeeney.com/products/formatted-text-control 36+ hours of Real Studio Video Training at http://www.bkeeney.com/ Real Studio Consulting http://www.bkeeney.com/consulting/real-studio-consulting Top Display posts from previous: All posts1 day7 days2 weeks1 month3 months6 months1 year Sort by AuthorPost timeSubject AscendingDescending Page 1 of 1 [ 4 posts ] -- Over 1500 classes with 29000 functions in one REALbasic plug-in collection. The Monkeybread Software Realbasic Plugin v9.3. http://www.monkeybreadsoftware.de/realbasic/plugins.shtml [email protected]
