I've stored password in mysql using SHA1 encryption And I have migrated my DB from mysql to DB2.
From Db2, how can I fetch record from Db2?
Select * from table where name = 'user' and password = sha1('123456')
But it generates error in db2. How can I check the login for the existing details?
If the original app contains only a few references to sha1() in the SQL statements, you could switch them a similar function in DB2, such as ENCRYPT() http://publib.boulder.ibm.com/infocenter/db2luw/v9r7/topic/com.ibm.db2.luw.sql.ref.doc/doc/r0004211.html.
Now you have a HASH function
SELECT HEX(HASH('Charlie at IBM',1)) FROM SYSIBM.SYSDUMMY1;
D6E42303462491FC696EAC53C1B086A5034735A7
Related
I'm create SQLite databse with DB Browser for SQLite (non encrypted) and open with FireDAC in delphi.(Can retrive data Eg. Select * from abc).
How encrypt this SQLite database with FireDAC? When enter username, password and encrypt get message "Cipher DB is not encrypdet"
Note:
When create SQLite database from Delphi FireDac I can use encryption!
To encrypt a database, use a TFDSQLiteSecurity Component. You'll also need a TFDSQLitePhysSQLiteDriverLink component to go along with it.
If a database is unencrypted, then its password is ''. So use '' as the OldPassword and create the new password in that case. Passwords are formatted as algorithm:PassPhrase. See documentation on the choices, I use aes-256. Also, the database needs to be closed when you do this.
...
//Change password
FDSQLiteSecurity1.Password := OldPassword;
FDSQLiteSecurity1.ToPassword := NewPassword; // example: 'aes-256:mypassword123'
FDSQLiteSecurity1.ChangePassword;
...
//Remove Password
FDSQLiteSecurity1.Password := OldPassword;
FDSQLiteSecurity1.ToPassword := '';
FDSQLiteSecurity1.RemovePassword;
...
From the Documentation
SQLite Encrypted Database
Approach
One of the distinctive SQLite
features is the high-speed strong database encryption. It allows you
to make database file content confidential and enforce integrity
control on the database file. The encrypted database format is not
compatible with other similar SQLite encryption extensions. This means
that you cannot use an encrypted database, encrypted with non-FireDAC
libraries. If you need to do this, then you have to decrypt a database
with an original tool and encrypt it with FireDAC.
Recent Delphi versions come with an example project for working with encryption on Sqlite databases, see this documentation. I have not used this myself, btw.
It includes this section
Encrypt DB
Encrypt: Encrypts the database according to the Encryption mode and the password provided.
The sampe uses TFDSQLiteSecurity.SetPassword to encrypt the database with the password provided.
The database password is the combination of <encryption algorythm>:<password>.
I have faced several challenges when first time tried to encrypt SQLite database for use with Embarcadero FireDAC. Also all information is published by Embarcadero question pops up again and again on different forums. My case was solved based on community support, but when time has permitted simple Delphi application was assembled and available on Sourceforge. Hope it will make encryption/decryption slightly easier particularly for the newbie
https://sourceforge.net/projects/sqlite-sequrity-for-delphi/
FMDB version (2.6.2)
Problem:
I am testing FMDB and SQLCipher, and find a tricky problem.
I encrypt a db with password 'test001' successfully, and I export it and open the db with DB Brower, with 'test001' I open it without any problem. Then in Xcode I try to open the DB with password 'test002'(I do this to test if FMDB will tell me that I use a wrong password), however the setkey() return YES. I check db.lastErrorMessage, it returns nil, which means FMDB thinks I give the right key.Then I try to read data from the DB using executeQuery(), the function returns NO, and the NSLog shows 'file is encrypted or is not a database'.
Anyone has the same problem? Is it a bug of sqlite or I use it in a wrong way?
setkey() return YES
executeQuery() return NO due to decrypt error
The call to setKey(…)does not verify the password provided is valid for current database, rather it just causes the database to attach a codec context within SQLCipher. The next SQL command that you issue following the keying of the database will cause key derivation to occur (so long as you are not using a raw hex key), and will generally validate whether SQLCipher is able to use the key to access your database. We generally recommend you attempt to execute the following query to validate the password is valid as the sqlite_master table will always be present, regardless of your schema.
SELECT count(*) FROM sqlite_master;
I'm using Couchbase Lite for Xamarin (android) and I would like to delete an encrypted DB.
Here is my code to delete:
var databaseName = "XYZ";
var manager = Manager.SharedInstance;
manager.GetExistingDatabase(databaseName).Delete();
When I run this code I get:
Couchbase.Lite.CouchbaseLiteException: Error 21, 26 (file is encrypted or is not a database) executing sql 'CREATE TABLE docs ( doc_id INTEGER PRIMARY KEY, docid TEXT UNIQUE NOT NULL)'
I know the database exists and is encrypted.
The docs don't specify that deleting only works on unencrypted databases.
http://developer.couchbase.com/documentation/mobile/1.3/develop/references/couchbase-lite/couchbase-lite/database/database/index.html
Is there a different way to delete an encrypted database?
The correct way to do this is instead of
manager.GetExistingDatabase(databaseName).Delete();
do
manager.DeleteDatabase(databaseName);
This allows for deletion of an encrypted couchbase lite DB without having the key.
I want to encrypt the username and password both in sql tables . is it useful(if any method for data encryption in Sql Server) or i should apply for the Encryption and Decryption keys from front end.
till now i m using encryption and decryption from the front end using HttpUtility and base 64 method .
Column-level encryption (aka cell-level encryption) was introduced in SQL Server 2005 and is available in all editions of SQL Server, including the free SQL Server Express edition. To use cell-level encryption, the schema must be changed to varbinary, then reconverted to the desired data type. This means the application must be changed to support the encryption-decryption operation; in addition, it can affect performance. Encryption of the database occurs at the page level, but when those pages are read to buffer pool, they're decrypted. Data can be encrypted using a passphrase, an asymmetric key, a symmetric key, or a certificate. The supported algorithms for column-level encryption are AES with 128,196,256 bit keys and 3DES. To learn more about column-level encryption
For Information Please Read This article http://technet.microsoft.com/en-us/library/ms179331.aspx
You can use the PWDENCRYPT and PWDCOMPARE like # Paresh J in his comment during new user Insertion use PWDENCRYPT like
Declare #Uname Varchar(250)='User2'
Declare #Pwd Varchar(250)='password'
Declare #UserTbl Table
(
id int identity(1,1),
Uname Varbinary(250),
Pwd Varbinary(250)
)
Insert Into #UserTbl(Uname,Pwd)
select PWDENCRYPT(#Uname),PWDENCRYPT(#Pwd)
and during the login of that user use PWDCOMPARE like
Declare #UnameEncr Varbinary(max)
Declare #PwdEncrypt Varbinary(max)
Select #UnameEncr=Uname,#PwdEncrypt=Pwd from #UserTbl where id=1
Select LoginMessage=Case When PWDCOMPARE(#Uname,#UnameEncr)=1
and PWDCOMPARE(#Pwd,#PwdEncrypt)=1
Then 'Correct Username / Password'
else 'Incorrect Username / Password' end
I would like to demonstrate SQL injection using Java and sqlite. I'm attempting to execute two queries at the same time with SQL injection. The user is to prematurely end the statement using ;, then add another entry using an insert statement.
Mysql JDBC using allowMultiQueries=true in the connection string.
How can I do this using sqllite?
TIA
allowMultiQueries as a MySQL-specific connection parameter.
I do not know of any SQLite JDBC driver that would allow multiple commands in one query.
Therefore, this kind of SQL injection attack is not possible.
Your best bet would be to construct some query like this:
SELECT * FROM Users WHERE Name = 'admin'--' AND Password = 'whatever'
or this:
SELECT *
FROM Users
WHERE Name = 'admin'
AND Password = 'whatever' or Name='admin'