Results 1 to 10 of 10

Thread: Pwdcompare()

  1. #1
    Join Date
    Feb 2003
    Posts
    27

    Exclamation Unanswered: Pwdcompare()

    I have a Oracle view which has user-info : user-name , passwords. Passwords in this view are encrypted. I exported this view to SQL Server. Can i use PWDCOMPARE(<plaintext>, <encryptedtext>) function on exported table to compare the Passwords?

  2. #2
    Join Date
    May 2002
    Posts
    299

    Re: Pwdcompare()

    I don't think this is going to resolve your issue. Encryption done by Oracle is *proprietary* to Oracle. Pdwcompare() is proprietary to SQL. I also want to note that the use of this undocumented function is not supported by MS and they could change its behavior at anytime.
    --
    -oj
    http://www.rac4sql.net

  3. #3
    Join Date
    Dec 2002
    Location
    Czech Republic
    Posts
    249
    With pwd.. functions and large strings, ANY user can crash pre-SP3 sql server!

  4. #4
    Join Date
    Feb 2003
    Posts
    27
    So how can i secure the user-info table which has "user-name & password" in SQL Server. Is thier a way that i can hide the password?

    Thanks

  5. #5
    Join Date
    Dec 2002
    Location
    Czech Republic
    Posts
    249
    Do not save passwords in open format, even encrypted.
    If your table is used to authorize users, store hash of password,
    for example SHA1. Try http://www.activecrypt.com.

    Good luck !

  6. #6
    Join Date
    Feb 2003
    Posts
    27

    Talking

    Hi ispaleny,

    Thank you for the link. It was really helpful. I just went through the link. It defines some encrytion algorithms. I am using SQL Server 7, and it doesn't allow "CREATE FUNCTION". Is their any other alternative?

    Thanks
    Last edited by newbie03; 02-21-03 at 10:26.

  7. #7
    Join Date
    Dec 2002
    Location
    Czech Republic
    Posts
    249
    Use stored procedure to encrypt row by row.

  8. #8
    Join Date
    Feb 2003
    Posts
    27
    I am able to use the stored procedure to encrypt each row one by one. But i am facing problem comparing the password.

    I tried using "exec <storedprocedure name> " in the select statement and it doesn't allow me to do so. i want to use the return value of the stored procedure in the SELECT statement. I wrote stored procedure with two input variable and one output variable. I want to use the value of this output variable in the select statement.

    Thanks

  9. #9
    Join Date
    Dec 2002
    Location
    Czech Republic
    Posts
    249
    Is this what you want ?

    declare @Ret bit
    exec usp_YourSP '&^%','@$#%^^$^#',@Ret OUTPUT
    select * from YourTable where YourCol=@Ret
    Last edited by ispaleny; 02-25-03 at 10:27.

  10. #10
    Join Date
    Feb 2003
    Posts
    27
    No I was trying to use something like this

    Select * from table1 where col1 = exec <storedprocedure> @Ret OUTPUT.

    I wanted call this stored procedure in my servlet program. I got that working, by using CallableStatement. Link you posted http://www.activecrypt.com. was very helpful. Thank you.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •