SQL HASHBYTES returns different value

Question

5.00/5 (1 vote)

See more:

In my Application, the HASHBYTES SQL function returns different values for same string.
Below is my user creation code.

C#

Guid fillerG = Guid.NewGuid(); 
using (SqlCommand com = new SqlCommand("INSERT INTO App_Users (UserName, PasswordHash, PasswordSalt) VALUES ('" + userNameTxt.Text + "', HASHBYTES ( 'SHA1', CONVERT(NVARCHAR(100), '" + userPassword.Text + fillerG.ToString() + "') ),  '" + fillerG.ToString() + "'; ", con))
{
    com.ExecuteNonQuery();
}

If I compare the above inserted row in my Login Page, It doesn't match.
This is my comparing script.

C#

SqlCommand loginCom = new SqlCommand("select COUNT(UserID) FROM App_Users WHERE UserName = '" + Login1.UserName.Replace("'", "''") + "' AND PasswordHash = HASHBYTES('SHA1', '" + Login1.Password.Replace("'", "''") + "' + CONVERT(NVARCHAR(36), PasswordSalt))", loginCon);

The first code stores the passwordHash as this:

0xDAC9280F85B40C06314228876717E342432807DB

But in the query window, the HASHBYTES function with same value returns this:

0xA561FBD35713F922AD761594658C193F12B82791

Posted 22-Mar-15 3:54am

Yesudass Moses

Updated 22-Mar-15 3:56am

v2

Add a Solution

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Kornfeld Eliyahu Peter · Answer 1 · 2015-03-22T04:16:00

Solution 1

That's maybe because in the two cases you have different strings to HASH...
In the first case you HASH password + filler, but in the second case you first replace single quote to two single quotes before HASH!!!

Posted 22-Mar-15 4:16am

Kornfeld Eliyahu Peter

Comments

Yesudass Moses 23-Mar-15 1:31am

No, I replaced quotes on both code. But to make the code concise here, I removed those when posting.

Kornfeld Eliyahu Peter 23-Mar-15 3:09am

And how should anyone know that!?
When you post a code sample be true to your original code, do not remove meaningful parts!!!
Can we see your real code?
See, there is no problem with SQL HASHBYTES function in general, so the problem is somewhere in your code...without seeing that code we can not help you...

Yesudass Moses 23-Mar-15 3:32am

Hi Kornfeld. Thanks for your reply.
Actually, My password or UniqueID doesn't have any single quotes, and its failing for all passwords. That's why I removed those long messy codes.
Anyway, I get the problem solved. DataType of my fillerG (GUID) field on database table was UniqueID. When I change it to Nvarchar, the problem fixed. :)

LGM-Developer · Answer 2 · 2015-03-22T13:01:00

Must people use strings for SQL statements? No wonder the OP couldn't figure out what was happening with the HASH function... It took me longer to read the code than to figure out as Kornfeld Eliyahu Peter had that the function was passing in/back incorrect and different results...

For the sake of security (Read up on SQL injection) and for the sake of the next developer's sanity, use SQLParameters to pass values instead of working with a bunch of strings...