6

I'm having a weird security-related problem, lately I've been getting regular but intermittent errors when trying to insert hashed passwords in a SQL Server database field that's nvarchar(130):

<cfqueryparam value="#hashpass#" cfsqltype="cf_sql_char" maxLength="130">

The hashpass variable is set thus:

<cfset hashpass =  Hash(arguments.password & getsalt.user_salt, "SHA-512")>

Wondering how it's possible for a SHA-512 hash to be longer than 128 characters, when the documentation says it should always be 128 exactly? Here's the ColdFusion 10 error:

[Macromedia][SQLServer JDBC Driver][SQLServer]String or binary data would be truncated.

Chris
  • 471
  • 1
  • 3
  • 14
  • 2
    (Edit) AFAIK, yes it should generate a 512 bit value / 128 characters encoded as hex. What are the actual values when the error occurs? – Leigh May 31 '15 at 21:16
  • I wish I knew the actual values that fail, when I tried to reproduce the error the code worked. I can put in a try/catch and email myself values that fail, it happens regularly just not when I try it. – Chris Jun 01 '15 at 00:23
  • In the spirit of try/catch, what does the onErrror() function of your Application.cfc do? – Dan Bracuk Jun 01 '15 at 02:59
  • 4
    Is the pwd the only column you're inserting in that query? Can you post the entire query and the entire error message (well: we don't need the stack trace). Why are you using nvarchar for that column, and then passing its value using char? That seems a bit odd, dunnit? Which version of ColdFusion? – Adam Cameron Jun 01 '15 at 05:37
  • Good question. Chris - What is your CF version? For CF10+ use [cf_sql_nvarchar](http://stackoverflow.com/questions/10802388/what-are-the-details-for-using-cf-sql-nvarchar-in-coldfusion-10/10848136#10848136). (Though you probably do not need the nvarchar type for storing HEX) – Leigh Jun 01 '15 at 21:59

1 Answers1

3

It seems from your error that the issue is at a database level, as ColdFusion is not failing your maxlength check on the cfqueryparam tag and is allowing the query to be executed. I just tested trying to pass a string that exceeds the length specified in the maxlength attribute (on CF10) and get the error:

The cause of this output exception was that: 
coldfusion.tagext.sql.QueryParamTag$InvalidDataException: 
Invalid data value this-is-a-string-that-is-too-long exceeds maxlength setting 10..`

As Adam Cameron mentioned in the comments to the question, it seems likely that it is a different field in your query that is throwing the error.

As the hashed password will be 128 chars long - is there a reason why you are validating 130 chars?

Community
  • 1
  • 1
John Whish
  • 3,016
  • 17
  • 21
  • Thanks everyone I was taking that error line number too literally...turns out much of the data for this insert was coming from another table with fields that in many cases were quite a bit longer...so, adjusting field sizes in the destination table to match. – Chris Jun 04 '15 at 03:24