I am currently hashing my password field in my Oracle database by using DBMS_CRYPTO.HASH
. At this point, however, I need to allow my Java application to be able to authenticate a password on user input in a way similar to what MySQL does. Something like:
SELECT *
FROM user_login_table
WHERE password = SHA1('MyPassword');
I am currently hashing via the following procedure:
CREATE OR REPLACE PROCEDURE
MUNGAI.p_auth_insert_user (
par_username in varchar2,
par_password in varchar2,
par_work in varchar2
)
IS l_hash raw(2000);
BEGIN
l_hash :=
dbms_crypto.hash(
utl_i18n.string_to_raw(par_password || par_work || upper(par_username),
'AL32UTF8'
),
dbms_crypto.hash_sh1
);
INSERT INTO user_login_table (user_name, p_word, work_class)
VALUES (par_username, l_hash, par_work);
END p_auth_insert_user;
/
I am then executing the procedure as follows, to insert into the table:
EXEC MUNGAI.p_auth_insert_user('MUNGAI', 'gatungo', '999')
Is there a better way to achieve this in my situation? I am using Oracle 11g, if that matters.
Assuming that the hashed password is stored in a
RAW
column inuser_login_table
, you could simply calldbms_crypto.hash
in your SQL statement. Depending on how you are doing the initial hashing (in particular how you are converting the plain-text password toRAW
and what algorithm and options you're using), something like this would workOf course, as a general matter of good coding practices you almost certainly want to define your own function that hashes the password so that you can embed the logic for how to convert the string to a
RAW
and specify the hash algorithm in a single place. You would then call that new function from your SQL statement. That's the function where, presumably, you would add an appropriate salt as well. You would use that function, then, both to do the initial seeding of hashed data in the table and to verify password hashes in the future.I would also assume that your actual query would have a predicate on
username
in addition to passwordOtherwise, the query you posted would merely validate that the password matched the password of someone in the database not the specific person that was trying to log in. Plus, it would return multiple rows if two people had the same password hash.
In your specific case, therefore, I would expect that you would want to create a new function
hash_password
You would then call this function from your insert procedure
Your query would then be