Database Binary passcheck hashing, maybe a security problem.

Question

I realize that when a new user register or changes the password it is hashed (SHA) and than UNHEX direct in the database server. I believe this could be a problem because anyone with access to the database query history can see the raw passwords, because they will be stored in the binary logs.
Maybe the passwords should be hashed inside the application and than stored in the database (I personally prefer stronger algorithms like SHA2 or MD5 instead of SHA1).

Answer 1

The hashing takes place in the application, not in the SQL. See qa_db_calc_passcheck(...) in qa-db-users.php. All that UNHEX() does is convert the hexadecimal sha1 checksum into a BINARY column value.

Comments

Right, my mistake sorry, I misundertood the code, been working too much.