Hello,
i am working on a small java tool as a corporate extension for the evaluation of limesurvey-surveys.
After starting it, the program should check the user credentials. Therefore it has to compare the passwords.
I found out, that limesurvey hashes the password with the help of SHA256 and the result is stored in a BLOB field.
I am hashing the typed password with the attached method first and then i am selecting the String- converted- password-object from the database, but they are never equal, even though the typed password is correct.
I attached the SHA256 method and the DB method too:
//the method, I hash the typed password:
private String getSHA2(String str) {
MessageDigest md;
try {
md = MessageDigest.getInstance("SHA-256");
md.update(str.getBytes());
byte byteData[] = md.digest();
// convert the byte to hex format method 1
StringBuffer sb = new StringBuffer();
for (int i = 0; i < byteData.length; i++) {
sb.append(Integer.toString((byteData[i] & 0xff) + 0x100, 16)
.substring(1));
}
return sb.toString();
} catch (NoSuchAlgorithmException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
return null;
}
.
.
.
//the method to check the hashed pw against the password, saved in the Database
public static int checkPW(String username, String pw) {
try {
open_static_Connection();
PreparedStatement sqlGetUserPW = static_con
.prepareStatement(select_user_id);
sqlGetUserPW.setString(1, username);
ResultSet rsUser = sqlGetUserPW.executeQuery();
while (rsUser.next()) {
java.sql.Clob obj = rsUser.getClob("password");
String str = obj.getSubString(1, (int) obj.length());
System.out.println("str " + str);
if (pw.equals(str)) {
return rsUser.getInt("uid");
} else
return -1;
}
} catch (SQLException e) {
e.printStackTrace();
}
return -1;
}
Can someone help?
Thanks a lot.
File Attachment:
File Name:
code.txtFile Size: 1334
