StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
text
Body
copied!<p>You should really hash those passwords, use the following code</p> <pre><code>DELIMITER $$ CREATE DEFINER=`root`@`localhost` PROCEDURE `change_pass`( in_Email VARCHAR(45), in_PassOld VARCHAR(45), in_PassNew VARCHAR(45) ) BEGIN DECLARE KnowsOldPassword INTEGER; SELECT count(*) INTO KnowsOldPassword FROM User WHERE Email = in_Email AND passhash = SHA2(CONCAT(salt, in_PassOld),512); IF (KnowsOldPassword > 0) THEN UPDATE User SET Passhash = SHA2(CONCAT(salt, inPassNew),512) WHERE Email = in_Email; END IF; END $$ DELIMITER ; </code></pre> <p>The <code>salt</code> is an extra field in table <code>user</code> that is more or less random, but does not need to be secret. It serves to defeat <a href="http://en.wikipedia.org/wiki/Rainbow_table" rel="nofollow noreferrer">rainbow tables</a>.<br> You can set salt to a short string char(10) or randomish data. e.g. </p> <pre><code>salt = ROUND(RAND(unix_timestamp(now())*9999999999); </code></pre> <p>You don't need to update the salt, just generate it once and then store it.</p> <p>For more on this issue see:<br> <a href="https://stackoverflow.com/questions/3273293/salting-my-hashes-with-php-and-mysql">Salting my hashes with PHP and MySQL</a><br> <a href="https://stackoverflow.com/questions/2283937/how-should-i-ethically-approach-user-password-storage-for-later-plaintext-retriev">How should I ethically approach user password storage for later plaintext retrieval?</a> </p> <p><strong>A comment on your code</strong> </p> <pre><code>IF(@PassOld == in_PassOld) THEN //incorrect IF(@PassOld = in_PassOld) THEN //correct, SQL <> PHP :-) </code></pre>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload