[deucalion0]

Hey guys, I have a database table that has users and the passwords are encrypted using SHA256, I need to create a login form using ColdFusion but I cannot figure out the code that to tell the posted password variable that the password in the table is encrpyted.

Here is my code:

   <cfquery name="qVerify" datasource="MyDSN">
   	SELECT	*
       FROM	cryptuser
       WHERE firstname = '#firstname#'
       AND	 password = '#password#'
</cfquery>

It won't work unless I can tell #password# that password in the table is encrypted using SHA256.

Can anyone help me figure out how to do this, I cannot see any clear answer from my research.

Many thanks.

[Craig328]

Hey deucalion0. I want to make sure I understand what your situation is. You have passwords in your table. Are passwords stored in an encrypted string in the database? If so, what you're going to need to do is to encrypt whatever the user is passing in as a password and then compare it to what you have in the database. To encrypt the user's password submission you'll need to use a native CF function called Hash().

Using that function, your SQL query will look like this:

   
<cfset variables.hashedPW = Hash(password,"SHA-256")>
<cfquery name="qVerify" datasource="MyDSN">
   	SELECT	*
       FROM	cryptuser
       WHERE firstname = '#firstname#'
       AND	 password = '#variables.hashedPW#'
</cfquery>

If what the user submitted as a password and which you then hashed with the SHA-256 algorithm matches what's in the database, your query will come back with a good record and if it doesn't match it won't.

Hope that helps. Good luck!

[deucalion0]

Craig 328, thank you so much that was perfect! I would never have figured out how to do that so thanks for your help it works perfectly!!!

I appreciate it!!!!!