Query to validate hash password from user source database

Eugene49 · March 5, 2024, 10:27pm

I setup user source to use database with mode set to Automatic.

The table now has a user record with hashed Password.

On the perspective client, I want the user to enter password, and be able to validate via query.

How does the MSSQL query where clause looks like? Below returned error.

	args=[]
	args.append("operator")
	args.append("operator")
	
	query = \
	"""
	select username from scada_users where username = ? and password = MD5(?);
	"""
	result = system.db.runPrepQuery(query, args)

Returned Error:
SQLServerException: 'MD5' is not a recognized built-in function name.

Kevin.Herron · March 5, 2024, 10:38pm

The DB automatic source is not relying on a SQL MD5 function, it's applying a SHA1 hash before it runs the query and then matching the password to the hash in the WHERE clause.

Eugene49 · March 5, 2024, 11:37pm

Any code snip how ignition convert literal password to hash password?
Seems the hash password in database is not HEX.

I tried the following in script console, output is not same with database:

import hashlib 
# initializing string 

str = "operator"

result = hashlib.sha1(str.encode()) 

# printing the equivalent hexadecimal value. 
print("The hexadecimal equivalent of SHA1 is : ") 
print(result.hexdigest())

Kevin.Herron · March 5, 2024, 11:54pm

            byte[] bytes = input.getBytes("UTF-8");
            byte[] sha1 = sha1(bytes);
            return Base64.encodeBytes(sha1);

pturmel · March 5, 2024, 11:55pm

No salt?

Kevin.Herron · March 5, 2024, 11:58pm

This profile is ancient. Internal profiles have been updated to use SHA-256 and a salt.

Eugene49 · March 6, 2024, 12:16am

oh shoot i got it:

import hashlib
import base64

str = "this is a password"
sha1 = hashlib.sha1(str.encode()) 
print(base64.b64encode(sha1.digest()))

THANK YOU.