Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.
0 votes
562 views
in Q2A Core by
I realize that when a new user register or changes the password it is hashed (SHA) and than UNHEX direct in the database server. I believe this could be a problem because anyone with access to the database query history can see the raw passwords, because they will be stored in the binary logs.
Maybe the passwords should be hashed inside the application and than stored in the database (I personally prefer stronger algorithms like SHA2 or MD5 instead of SHA1).
Q2A version: 1.5

1 Answer

+1 vote
by

The hashing takes place in the application, not in the SQL. See qa_db_calc_passcheck(...) in qa-db-users.php. All that UNHEX() does is convert the hexadecimal sha1 checksum into a BINARY column value.

by
Right, my mistake sorry, I misundertood the code, been working too much.
...