Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    Regular Coder
    Join Date
    Feb 2014
    Posts
    153
    Thanks
    38
    Thanked 0 Times in 0 Posts

    Salt and Hash/database question

    Hello

    I am hoping to use something like the script below to salt/hash passwords when adding new users to a database from a log-in form:

    Code:
     <%
     If Request("Create") <> "" Then
        If Request("Password") = Request("Password2") Then
            ' Generate random salt (10 characters)
            Randomize
            Salt = ""
            For i = 1 to 10
               Salt = Salt & chr(int(Rnd * 26) + 65) '65 is ASCII for "A"
            Next
    
            ' Calculate Hash of Password + Salt
            Set CM = Server.CreateObject("Persits.CryptoManager")
            Set Context = CM.OpenContext("", True)
            Set Hash = Context.CreateHash
            Hash.AddText Request("Password") & Salt
            HashValue = Hash.Value.Hex
    
            ' Save username, hashed value and salt in the database
            set Conn = Server.CreateObject("adodb.connection")
            Conn.Open "DSN=AspEncrypt;UID=;PWD=;"
            SQL = "insert into Users(Username, Password, Salt) _ 
             values('" & Request("Username") & "','" & HashValue & "','" & Salt & "')"
            Conn.Execute SQL
    
            Response.Write "Account was successfully created."
         Else
            Response.Write "Password was not correctly confirmed."
         End If
     End If
     %> 
    <FORM ACTION="AddUser.asp" METHOD="POST">
     Username:<INPUT TYPE="TEXT" NAME="Username">
     Password:<INPUT TYPE="PASSWORD" NAME="Password">
     Confirm Password:<INPUT TYPE="PASSWORD" NAME="Password2">
     <INPUT TYPE="Submit" NAME="Create" VALUE="Create Account">
     </FORM>
    I found this on one ASP site and reviewers praised the code. However, I get an error message:

    Microsoft VBScript compilation error '800a0409'

    Unterminated string constant

    /AddUser.asp, line 23
    SQL = "insert into Users(Username, Password, Salt) _
    which I am not sure about.

    Furthermore, the script doesn't seem to include an Access DB, unless I am missing something?

    Thank you.

    Blue

  • #2
    New Coder
    Join Date
    Jun 2005
    Location
    Blackpool. UK
    Posts
    98
    Thanks
    0
    Thanked 4 Times in 4 Posts
    When you copied and pasted you must have 'broken' the line continuation marker of ' _ '


    That line should actually be

    Code:
    SQL = "insert into Users(Username, Password, Salt) values('" & Request("Username") & "','" & HashValue & "','" & Salt & "')"
    Chris

    Indifference will be the downfall of mankind, but who cares?

  • Users who have thanked chrishirst for this post:

    Blue1 (05-29-2014)

  • #3
    Regular Coder
    Join Date
    Feb 2014
    Posts
    153
    Thanks
    38
    Thanked 0 Times in 0 Posts
    Hello chrishirst

    Thanks for your reply.

    The error has gone now with your kind correction!

    This:

    (Username, Password, Salt) _

    with the underscore at the end is because in the original the script is over two lines but, yes, maybe I have missed a &.

    Never mind, it's working now, so a big 'thank you' to you!

    Blue


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •