sql help concat

Question

SELECT 
    SHA1(CONCAT(users.salt, '$password')) = users.password
FROM users
WHERE 
    users.username = '$username'

If $username exist this will return true, doesn't matter what password you put in =/

iI only want it to return true if username AND password is correct

What i want is, I want it to take the salt and password, rehash it with sha1 and compare it with user input

What am i doing wrong?

Answer 1

You didn't say which database, but I don't believe you can code a relational expression in a select clause as you have done. Try

SELECT username
FROM users
WHERE 
    users.username = '$username' and 
    SHA1(CONCAT(users.salt, '$password')) = users.password

If you get a row back the password matched; if no row comes back the password didn't match or the user didn't exist.

Answer 2

The password check should be in the where clause:

SELECT 
    'success' as Result
FROM users
WHERE 
    users.username = '$username'
    AND SHA1(CONCAT(users.salt, '$password')) = users.password

This should return a row with a single column if the check succeeds; otherwise, it returns an empty rowset.

Answer 3

SELECT CAST(1 AS bit)
FROM users
WHERE 
    username = '$username' AND
    SHA1(CONCAT(salt, '$password')) = password