How to decrypt PBEWithMD5AndDES String in Oracle? - sql

In my user table, the username column is encoded via PBEWithMD5AndDES algorithm. Now I want something like this:
WITH TEMP
AS (SELECT E.UAC_USER_ID AS ID,
E.UAC_USER_USERNAME AS USERNAME,
E.UAC_USER_FIRSTNAME || ' ' || E.UAC_USER_LASTNAME AS NAME,
E.UAC_USER_PERSONELCODE AS PERSONELCODE
FROM UAC_USERS E
WHERE E.UAC_USER_ISENABLED = 1)
SELECT *
FROM TEMP
WHERE 1 = 1 AND DECODE (USERNAME) = 'admin'
is there any embedded function in oracle that can decode the selected field?

I can only give you direction to solve problem, not answer.
Oracle has package dbms_crypto which may be can help you.
See examples https://docs.oracle.com/database/121/ARPLS/d_crypto.htm#ARPLS65690
You can find encryption_type
encryption_type PLS_INTEGER := -- total encryption type
DBMS_CRYPTO.ENCRYPT_AES256
+ DBMS_CRYPTO.CHAIN_CBC -- description in doc
+ DBMS_CRYPTO.PAD_PKCS5; -- description in doc
In DBMS_CRYPTO there is another constant DBMS_CRYPTO.ENCRYPT_PBE_MD5DES.
Theoretically this may help:
encryption_type PLS_INTEGER := -- total encryption type
DBMS_CRYPTO.ENCRYPT_PBE_MD5DES
+ DBMS_CRYPTO.CHAIN_CBC -- description in doc
+ DBMS_CRYPTO.PAD_PKCS5; -- description in doc
But using this encryption_type in code I get error. I also try several combination and change code but finally i give up. May be one of the reason is the constant DBMS_CRYPTO.ENCRYPT_PBE_MD5DES doesn't described in doc or I should change smt else in example. .

Related

Filling a dataset from a sql select string in Delphi

I am currently VERY new to delphi. It is older code, but I need to know if why my code is failing is what I think it is. all the data I need to read is in the tables I'm reading from, I know that much. but I'm getting the following error back on my SOAP call:
There is no row at position 0.
This tells me that although the data is in the DB, I know I'm not able to read it out. am I using the correct way to read sql data from a db table, in delphi, using the following code:
FXMLDocument := XMLDocument.Create;
FXMLDocument.LoadXML(strXML);
// Get WebService URL - needed for saving COG Assessments
strUrl := GetURL;
// Fill Applicant and Configuration DataSets
FApplicant := TApplicant.Create;
FConfiguration := TConfiguration.Create;
FApplicant.Username := FXMLDocument.GetElementsByTagName('appid').item(0).FirstChild.Value;
strFormID := FXMLDocument.GetElementsByTagName('formid').item(0).FirstChild.Value;
SqlConDB.Close;
selApp.CommandText := 'SELECT AppID, FirstName, LastName, Age, Gender, UserPassword, ProgToRun, ReportLang, CompanyID FROM Users WHERE AppID = '''+ FApplicant.Username +'''';
selConfig.CommandText := 'SELECT * FROM Preferences';
SqlConDB.Open;
daApp.Fill(dsApp, 'Applicant');
daConfig.Fill(dsConfig, 'Configuration');
SqlConDB.Close;
FConfiguration := CASConfigRoutines.FillConfigurationFromDB(dsConfig);
// Get Program to Run from Data
FApplicant.ProgToRun := dsApp.Tables[0].Rows[0].Item['ProgToRun'].ToString;
FApplicant.Gender := dsApp.Tables[0].Rows[0].Item['Gender'].ToString;
FApplicant.ReportLang := dsApp.Tables[0].Rows[0].Item['ReportLang'].ToString;
// Get Company ID from Data for FNB check
FApplicant.Company := dsApp.Tables[0].Rows[0].Item['CompanyID'].ToString;
Should these two lines:
daApp.Fill(dsApp, 'Applicant');
daConfig.Fill(dsConfig, 'Configuration');
Not rather be:
daApp.Fill(selApp, 'Applicant');
daConfig.Fill(selConfig, 'Configuration');
as it is selApp that is the "select" statement? I don't know enough about Delphi to say if it is right or wrong, but can someone maybe assist in telling me why I'm getting a record count of 0 if I know for a fact, my data is in the DB?
Thanks!

I keep getting "Data type mismatch in criteria expression" error in delphi

Whenever this code runs the I get the above error. The code is supposed to insert a record into a table and then delete records from another table.
for I := iMax - K to iMax do
begin
Inc(a);
with dmMenu.qryMcDonalds do
begin
SQL.Text :=
'SELECT ID, ItemID, ItemPrice, ItemCategory FROM tblCheckout WHERE ID = ' + IntToStr(I);
Open;
sItemID := Fields[1].AsString;
rItemPrice := Fields[2].AsFloat;
sItemCategory := Fields[3].AsString;
ShowMessage(IntToStr(I));
// I get the error here
SQL.Text :=
'INSERT INTO tblOrderItems (OrderItemID, OrderID, ItemID, ItemCategory, ItemPrice) VALUES ("' + sOrderID + '_' + IntToStr(a) + '"' + ', "' + sOrderID + '", "' + sItemID + '", "' + sItemCategory + '", "' + FloatToStrF(rItemPrice, ffCurrency, 10, 2) + '")';
ExecSQL;
SQL.Text := 'DELETE FROM tblCheckout WHERE ID = ' + IntToStr(I);
ExecSQL;
end; // with SQL
end; // for I
edit: I think i the problem is in the 'INSERT INTO' part. All the columns are short text except the last one, ItemPrice is a currency. I am also using Access
Please start a new project with just the following items on the main form:
A TAdoConnection configured to connect to your database;
A TAdoQuery configured to use the TAdoConnection
A TDataSource and TDBGrid configured to display the contents of the TAdoQuery.
Then, add the following code to the form
const
sSelect = 'select * from tblOrderItems';
sInsert = 'insert into tblOrderItems(OrderItemID, OrderID, ItemID, ItemCategory, ItemPrice) '#13#10
+ 'values(:OrderItemID, :OrderID, :ItemID, :ItemCategory, :ItemPrice)';
sOrderItemID = '0999';
sOrderID = '1999';
sItemID = '2999';
sItemCategory = 'Bolt';
fItemPrice = 5.99;
procedure TForm2.FormCreate(Sender: TObject);
begin
AdoQuery1.SQL.Text := sInsert;
AdoQuery1.Prepared := True;
AdoQuery1.Parameters.ParamByName('OrderItemID').Value:= sOrderItemID;
AdoQuery1.Parameters.ParamByName('OrderID').Value := sOrderID;
AdoQuery1.Parameters.ParamByName('ItemID').Value := sItemID;
AdoQuery1.Parameters.ParamByName('ItemCategory').Value := sItemCategory;
AdoQuery1.Parameters.ParamByName('ItemPrice').Value := fItemPrice;
AdoQuery1.ExecSQL;
AdoQuery1.SQL.Text := sSelect;
AdoQuery1.Open;
end;
Before compiling and running the program, review and change the values of the constants
so that they don't conflict with any rows already in your table.
The constant sInsert defines a so-called "parameterised SQL statement" Inside the Values
list, the items :OrderItemID, :OrderID, etc, are placeholders which the AdoQuery will turn into
parameters whose values you can supply at run-time, as in the block after AdoQuery1.Parameters.ParamByName(...
You should always construct SQL statements this way and not by concatenating strings
as your code attempts to do. It is far less error-prone, because it's easy to get into a
syntax muddle if you use DIY code and it also makes sure your queries are not prone
to Sql-Injection exploits, which they would be if you
give the user the opportunity to edit the SQL.
If you are using a FireDAC FDQuery, this has Params (an FD data-type) rather thn Parameters
but they work in pretty much the same way - see the Online Help.
In future, please be a bit more careful to ensure you include important details, especially things like the exact line where the error occurs - which you can check by single-stepping through your code using the debugger - and things like the exact db-access components you are using. Also try to get details right like whether a column is a "short text" type or an autonumber.
For a problem that needs to be debugged, like this one, you should also provide a complete, minimal, reproducible example, not just a snippet of code. Quite often, you will realise what the problem is while you are preparing the mre, so it helps you as well as us.
I bet the problem is in incompatible floating point format.
Use parameters to avoid it.

My secret password in oracle won't output

I'm trying to output my procedure, with a secret password. When i try to run my code it doesn't work.
CREATE OR replace Procedure hiddenPasswords(
p_MA_ID IN MitarbeiterAccounts.MitarbetierAccountID%TYPE,
p_M_Login IN MitarbeiterAccounts.Mitarbeiter_Login%TYPE,
p_M_Password IN MitarbeiterAccounts.Mitarbeiter_Password%TYPE)
IS
BEGIN
INSERT INTO MitarbeiterAccounts(MitarbeiterAccountsID,
MitarbeiterAccounts_Login, Mitarbeiter_Password)
VALUES(p_MA_ID, p_M_Login, HASHBYTES('SHA2_512', p_M_Password));
END;
/
EXEC hiddenPasswords p_MA_ID = 4, p_M_Login = 'Admin' p_M_Password = N'123';
I'm getting that HASHBYTES is invalid identifier
Well, Oracle doesn't have any built-in function called HASHBYTES. It is there in SQL SERVER but not in Oracle
instead you can use DBMS_CRYPTO.HASH if you have that privilege for the same.
DBMS_CRYPTO provides an interface to encrypt and decrypt stored data, and can be used in conjunction with PL/SQL programs running network communications
DBMS_CRYPTO
Update
For eg., I have used RAW here. You can check other Overloaded functions in the above link where you can use BLOB, CLOB as well.
DECLARE
l_pwd VARCHAR2(19) := 'mysecretpassword';
l_ccn_raw RAW(128) := utl_raw.cast_to_raw(l_pwd);
l_encrypted_raw RAW(2048);
BEGIN
dbms_output.put_line('CC: ' || l_ccn_raw);
l_encrypted_raw := dbms_crypto.hash(l_ccn_raw, 1);
dbms_output.put_line('MD4: ' || l_encrypted_raw);
l_encrypted_raw := dbms_crypto.hash(l_ccn_raw, 2);
dbms_output.put_line('MD5: ' || l_encrypted_raw);
l_encrypted_raw := dbms_crypto.hash(l_ccn_raw, 3);
dbms_output.put_line('SH1: ' || l_encrypted_raw);
END;
/
OUTPUT
CC: 6D7973656372657470617373776F7264
MD4: BBBA2CBC2F6E0F158D06B34F819DB5F6
MD5: 4CAB2A2DB6A3C31B01D804DEF28276E6
SH1: 08CD923367890009657EAB812753379BDB321EEB

How to call Oracle MD5 hash function?

I have below code. I am using Oracle 11g.
SELECT DBMS_OBFUSCATION_TOOLKIT.md5 (input => UTL_RAW.cast_to_raw(
FIRST_NAME
||LAST_NAME
)) md5_key ,
FIRST_NAME ,
LAST_NAME
FROM C_NAME_TAB
WHERE PKEY='1234'
How can i call this code? Can i directly execute this code in sqldeveloper?
In Oracle 12c you can use the function STANDARD_HASH. It does not require any additional privileges.
select standard_hash('foo', 'MD5') from dual;
The dbms_obfuscation_toolkit is deprecated (see Note here). You can use DBMS_CRYPTO directly:
select rawtohex(
DBMS_CRYPTO.Hash (
UTL_I18N.STRING_TO_RAW ('foo', 'AL32UTF8'),
2)
) from dual;
Output:
ACBD18DB4CC2F85CEDEF654FCCC4A4D8
Add a lower function call if needed. More on DBMS_CRYPTO.
I would do:
select DBMS_CRYPTO.HASH(rawtohex('foo') ,2) from dual;
output:
DBMS_CRYPTO.HASH(RAWTOHEX('FOO'),2)
--------------------------------------------------------------------------------
ACBD18DB4CC2F85CEDEF654FCCC4A4D8
#user755806 I do not believe that your question was answered. I took your code but used the 'foo' example string, added a lower function and also found the length of the hash returned. In sqlplus or Oracle's sql developer Java database client you can use this to call the md5sum of a value. The column formats clean up the presentation.
column hash_key format a34;
column hash_key_len format 999999;
select dbms_obfuscation_toolkit.md5(
input => UTL_RAW.cast_to_raw('foo')) as hash_key,
length(dbms_obfuscation_toolkit.md5(
input => UTL_RAW.cast_to_raw('foo'))) as hash_key_len
from dual;
The result set
HASH_KEY HASH_KEY_LEN
---------------------------------- ------------
acbd18db4cc2f85cedef654fccc4a4d8 32
is the same value that is returned from a Linux md5sum command.
echo -n foo | md5sum
acbd18db4cc2f85cedef654fccc4a4d8 -
Yes you can call or execute the sql statement directly in sqlplus or sql developer. I tested the sql statement in both clients against 11g.
You can use any C, C#, Java or other programming language that can send a statement to the database. It is the database on the other end of the call that needs to be able to understand the sql statement. In the case of 11 g, the code will work.
#tbone provides an excellent warning about the deprecation of the dbms_obfuscation_toolkit. However, that does not mean your code is unusable in 12c. It will work but you will want to eventually switch to dbms_crypto package. dbms_crypto is not available in my version of 11g.
To calculate MD5 hash of CLOB content field with my desired encoding without implicitly recoding content to AL32UTF8, I've used this code:
create or replace function clob2blob(AClob CLOB) return BLOB is
Result BLOB;
o1 integer;
o2 integer;
c integer;
w integer;
begin
o1 := 1;
o2 := 1;
c := 0;
w := 0;
DBMS_LOB.CreateTemporary(Result, true);
DBMS_LOB.ConvertToBlob(Result, AClob, length(AClob), o1, o2, 0, c, w);
return(Result);
end clob2blob;
/
update my_table t set t.hash = (rawtohex(DBMS_CRYPTO.Hash(clob2blob(t.content),2)));

Using ParseSQL Command for ADO Parameters Cause Invalid Parameter DataType

I have some SQL Command that contains a parameter such:(Note that myID has "int" type in SQL)
vSqlString :='Select * From myTable Where myID= :paramID';
and Use ParseSQL Command to execute this command:
myADOQuery.Parameters.ParseSQL(vSqlString , True);
Now myADOQuery.Parameters.ParamByName('paramID').DataType is smallint Type and it can't accept negative integer values.
I can exactly show to compiler that my Parameter[0].DataType is ftIneteger and it works properly, but what is a good solution for this problem?
My question is asked by Mr. imanShadabi Here: Using TAdoQuery.ParseSql and has resolved by user1008646
Hope this will help.
If you want to create in runtime parameters, you can use something like this:
ADOQuery1.Close;
ADOQuery1.SQL.Text := vSqlString;
ADOQuery1.Parameters.Clear;
ADOQuery1.Parameters.CreateParameter('paramID', ftInteger, pdInput, 10, vIntegerValue);
ADOQuery1.Open;
Or you can concatenate values to the query.
For example:
//For Integer values:
vSqlString: = 'Select * From myTable Where myID =' + IntToStr (vIntegerValue);
//For String values:
vSqlString: = 'Select * From myTable Where myID =' + QuotedStr (vStringValue);
//For float values:
//Be careful with this, usually in a query, the comma is separator values,
//so make sure that the decimal separator is '.'
vDS := DecimalSeparator; //I keep the value it had
DecimalSeparator := '.';
try
ADOQuery1.close;
ADOQuery1.SQL.Text := 'Select * From myTable Where myID='+FloatToStr(vFloatValue);
ADOQuery1.Open;
finally
DecimalSeparator := vDS; //Restore the value that had
end;
The third option is to set the parameters at design time.
But I think this is not what you want.