2

I'm working on a PHP application with a mysql backend to replace an existing Oracle forms application with an Oracle database.

I've received a dump of the Oracle database and loaded this data into MySQL. One of the tables contains the usernames and passwords. The passwords are not stored as plain text but as a hash. These hashes have been created with the get_hash_value function from the DBMS_UTILITY package.

What is the algorithm used by this internal Oracle function?

Does anyone know of a function in PHP (or any other language) that would create the same hash?

I need to create the hash without Oracle to be able to validate the users passwords in the new environment (PHP + MySQL).

Jeroen Moors
  • 981
  • 8
  • 11

2 Answers2

0

I don't believe the implementation is detailed by Oracle. But you don't need to recreate it in PHP, simply wrap a function around it and call it from PHP:

create function digest( p_username in varchar2, p_password in varchar2 ) return varchar2
is
begin
    return ltrim( to_char( dbms_utility.get_hash_value( upper(p_username)||'/'||upper(p_password), 1000000000, power(2,30) ), rpad( 'X',29,'X')||'X' ) );
end digest;

-- digest by calling db function
select digest('UserA','MyPassword') from dual;

Of course, check your current db implementation of how the original hashes were created. But basically, if the result of the digest call matches that in the db, then the user is in, else no.

If you're moving the backend to MySQL, then you probably want to switch to using MD5 hashes or similar moving forward.

tbone
  • 15,107
  • 3
  • 33
  • 40
  • Thanks @tbone for your reply! In the setup we use all my data is stored in a MySQL database without having access to an Oralce database. I think your procedure requires an Oracle server to run? – Jeroen Moors Feb 16 '13 at 10:49
  • @JeroenMoors yes, it does require an Oracle instance, but since the mysql backend seems to be a temporary situation, I'd just keep an Oracle server up during this time for this purpose. I really don't think there is a way to replicate the get_hash_value outside Oracle. But I would quickly migrate to a more generic hash like md5 soon. – tbone Feb 16 '13 at 12:19
0

I wouldn't try to find a way to recreate the single hashing for the passwords. Nowadays most hashes can be found in rainbow tables, so the use of a salt (preferably a personal + a system salt) when storing passwords has become mandatory if you want to protect your user's credentials.

So instead of putting hours of work in trying to copy the hash, I'd just reset all user passwords and have them create a new (or the same) one that you can then store properly using php hash algorithms. I am sure the users will understand, especially if you are rebuilding the application anyway.

winkbrace
  • 2,682
  • 26
  • 19
  • Salting and hashing isn't enough anymore. You probably don't want to build a custom password system. See http://stackoverflow.com/a/401684/409172 and http://stackoverflow.com/a/1581919/409172. – Jon Heller Feb 13 '13 at 19:25
  • On a technical level I totally agree. Unfortunatly I'm building a disaster recovery site that only will be used during a short period. After this period the users will go back to the Oracle application. Resetting their password in the middle is not an option. – Jeroen Moors Feb 16 '13 at 10:45