Check out the LimeSurvey source code on GitHub!

password check in java

6 years 1 month ago #54268 by robeppef
i am working on a small java tool as a corporate extension for the evaluation of limesurvey-surveys.
After starting it, the program should check the user credentials. Therefore it has to compare the passwords.

I found out, that limesurvey hashes the password with the help of SHA256 and the result is stored in a BLOB field.

I am hashing the typed password with the attached method first and then i am selecting the String- converted- password-object from the database, but they are never equal, even though the typed password is correct.

I attached the SHA256 method and the DB method too:
//the method, I hash the typed password:
private String getSHA2(String str) {
	MessageDigest md;
	try {
		md = MessageDigest.getInstance("SHA-256");
			byte byteData[] = md.digest();
			// convert the byte to hex format method 1
		StringBuffer sb = new StringBuffer();
		for (int i = 0; i < byteData.length; i++) {
			sb.append(Integer.toString((byteData[i] & 0xff) + 0x100, 16)
		return sb.toString();
	} catch (NoSuchAlgorithmException e) {
		// TODO Auto-generated catch block
	return null;
//the method to check the hashed pw against the password, saved in the Database
public static int checkPW(String username, String pw) {
		try {
			PreparedStatement sqlGetUserPW = static_con
			sqlGetUserPW.setString(1, username);
			ResultSet rsUser = sqlGetUserPW.executeQuery();
			while ( {
				java.sql.Clob obj = rsUser.getClob("password");
				String str = obj.getSubString(1, (int) obj.length());
				System.out.println("str " + str);
				if (pw.equals(str)) {
					return rsUser.getInt("uid");
				} else
					return -1;
		} catch (SQLException e) {
		return -1;

Can someone help?
Thanks a lot.

File Attachment:

File Name: code.txt
File Size:1 KB

Please Log in to join the conversation.

6 years 1 week ago #54817 by robeppef
Hello, does really no one know the anser?
The login is essential for my tool :-(

Please Log in to join the conversation.

6 years 1 week ago #54824 by Mazi
I think this should better be asked at a Java forum. It's not really Limesurvey specific because you already know how Limesurvey stores passwords.
Only guess I can make is that the result of a SHA256 hash is different at PHP/Java, but that would be strange.

Best regards/Beste Grüße,
Dr. Marcel Minke
(Limesurvey Head of Support)
Need Help? We offer professional Limesurvey support
Contact: marcel.minke(at)'"

Please Log in to join the conversation.

Imprint                   Privacy policy         General Terms & Conditions         Revocation information and revocation form