In ColdFusion how can I match a posted password to an SHA256 encrypted password in my table?

Question

I am creating a log in form using ColdFusion, but I cannot figure out the syntax to check the password in my table which is encrypted using SHA256. I have researched this and so far only found complicated answers, mostly unrelated to what I need.

Here is the code I have for my query:

   <cfquery name="qVerify" datasource="MyDSN">
SELECT  *
   FROM cryptuser
   WHERE firstname = '#firstname#'
   AND   password = '#password#'
</cfquery>

So a password entered and posted via form needs to be matched to a password encrypted in my table, does anyone know if this is possible?

Many thanks.

Answer 1

you would just need to encrypt the password entered by the user and then use that variable in your query.

<cfset EncryptedPassword = Encrypt(form.password,'your key','SHA-256')>

<cfquery name="qVerify" datasource="MyDSN">
SELECT  *
FROM cryptuser
WHERE firstname = <cfqueryparam cfsqltype="cf_sql_varchar" value="#firstname#">
AND   password = <cfqueryparam cfsqltype="cf_sql_varchar" value="#EncryptedPassword#">
</cfquery>

Answer 2

To encrypt with SHA-256 you don't use the encrypt() function but rather the hash() function (SHA is a one-way hash):

<cfset EncryptedPassword = Hash(form.password, "SHA-256") />

I believe CF will return an all-uppercase hash so make sure you compare to the uppercase of the password encrypted in the database:

AND UPPER(password) = <cfqueryparam cfsqltype="CF_SQL_VARCHAR" value="#EncryptedPassword#" />

Also watch for encoding! It's possible that the data in the database could have a different encoding than the default (e.g., iso-8859-1 rather than utf-8).

Hope this helps.