2

In my Application, the HASHBYTES SQL function returns different values for same string. Below is my user creation code. 

Guid fillerG = Guid.NewGuid(); 
 using (SqlCommand com = new SqlCommand("INSERT INTO App_Users (UserName, PasswordHash, PasswordSalt) VALUES ('" + userNameTxt.Text + "', HASHBYTES ( 'SHA1', CONVERT(NVARCHAR(100), '" + userPassword.Text +          fillerG.ToString() + "') ),  '" + fillerG.ToString() + "'; ", con))
{
     com.ExecuteNonQuery();
}

When I compare the above inserted row in my Login Page, It doesn't match. This is my comparing script. 

SqlCommand loginCom = new SqlCommand("select COUNT(UserID) FROM App_Users WHERE UserName = '" + Login1.UserName + "' AND PasswordHash = HASHBYTES('SHA1', '" + Login1.Password + "' + CONVERT(NVARCHAR(36), PasswordSalt))", loginCon);

The first code stores the passwordHash as this:

0xDAC9280F85B40C06314228876717E342432807DB

But in the query window, the HASHBYTES function with same value returns this:

 0xA561FBD35713F922AD761594658C193F12B82791

UPDATE: Check this Image, The password Hash stored by the code is different than the password generated by the query (the password I gave is 'ee')

Query Output

Improve this question
1
  • hashbytes is a deterministic function. If you feed it the same input using the same hash function, you'll get the same result. The only conclusion is that the two strings are NOT in fact equal. I'd print both strings, check for leading/trailing, white space, invisible characters and encoding. Commented Mar 22, 2015 at 17:08

1 Answer 1

Reset to default
5

You are passing Two different String to HASHBYTES thats why you are getting the different Result.

IN This Query:

using (SqlCommand com = new SqlCommand("INSERT INTO App_Users (UserName, PasswordHash, PasswordSalt) VALUES ('" + userNameTxt.Text + "', HASHBYTES ( 'SHA1', CONVERT(NVARCHAR(100), '" + userPassword.Text +          fillerG.ToString() + "') ),  '" + fillerG.ToString() + "'; ", con))
{
     com.ExecuteNonQuery();
}

You are using userPassword.Text +fillerG.ToString() as String But

IN This Query:

Login1.Password.Replace("'", "''") + "' + CONVERT(NVARCHAR(36), PasswordSalt))", loginCon);

You are replacing the quotes

Login1.Password.Replace("'", "''")

Try like This: use parameterized Query

SqlCommand cmd = new SqlCommand("INSERT INTO App_Users (UserName, PasswordHash, PasswordSalt) VALUES (@username, HASHBYTES ( 'SHA1', CONVERT(NVARCHAR(100),@pass')),@salt), con)

    cmd.Parameter.AddWithValue("@username",userNameTxt.Text);
    cmd.Parameter.AddWithValue("@pass",userPassword.Text);
    cmd.Parameter.AddWithValue("@salt",fillerG.ToString());

And

 SqlCommand cmd = new SqlCommand("select COUNT(UserID) FROM App_Users WHERE UserName = @username AND PasswordHash = HASHBYTES ( 'SHA1', CONVERT(NVARCHAR(100),@salt)))), con)

cmd.Parameter.AddWithValue("@username",userNameTxt.Text);
cmd.Parameter.AddWithValue("@salt",Login1.Password);

Login1.Password and fillerG.ToString() must be Same

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

No,,, thats not the issue,,, I am replacing quotes on both codes... To make it concise in my post, I removed those in first code.
I tried adding parameters, but still... :( Hi, Can you check the update on my question please.
I suspect that this is the problem with data type conversion. NVARCHAR, and VARCHAR gives me different results.
Omg I cannot believe its working... Its working when I change the datatype of fillerG from UniqueIdentifier to NVarchar in table :) Thanks so much friend

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.