authenticate member through database with hashed/salted password

Question

i am using ipb forum software. I have member table with name entity and members_pass_hash and members_pass_salt. I have problem writing query statement to authorize member

    String Sql="Select * from members where name=? and members_pass_hash=?";

I know this is wrong, because password is not stored as plain text but i have no idea what to do.

I want to do this in java and i can't find any guides on this. Been searching for all day, thank you.

Answer 1

You got a spare " at the end of the SQL command. The ; is also not needed except for the mySQL command line client (may cause an error depending on your client library).

A salted password hash is usually verified by getting the salt string (sometimes it's stored as a prefix to the hashed password), calculating the salt and comparing the result.

In Pseudo-Code:

($id, $salt, $stored_hashed_password) = SELECT id, salt, hashed_password FROM members WHERE name=?
$entered_hash_password = hash_password($salt, $entered_cleartext_password)
if ($entered_hash_password == $stored_hash_password) {
   say "Yeah, you got it!";
} else {
   say "Go away!";
}

The comparison must obviously be a string comparison.

Update: Very simple example about hashed passwords:

Cleartext password: 10 Salt "string": 5 Hash function: $cleartext * $salt Hashed password: 50

No one could extract the original password out of the hashed password. The password may be 25, 1, 50, 10, 5.

Real hash functions are much more complicated and unreversable.

The hash_password() function used in the pseudo-code sample MUST be the one used when initially hashing the passwords for storing them into the database. Check the source code functions used for "change your password"