Thread: security help
View Single Post
 
Old May 3rd, 2017, 07:26 PM
crossfire19 crossfire19 is offline
Authorized User
Points: 79, Level: 1
Points: 79, Level: 1 Points: 79, Level: 1 Points: 79, Level: 1
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Dec 2013
Posts: 16
Thanks: 0
Thanked 0 Times in 0 Posts
Default security help

Hello I am working on a project, and I am trying to compare the user name and password credentials to log in to my website. I do have the password hashed in the database, and have a stored procedure set up. I can get it to work if the password is in plain text, but now that it is hashed for better security, I cant get it to work that way. Here is a look at my code, and any help would be greatly appreciated.


private bool CompareStrings(string string1, string string2)
{
return String.Compare(string1, string2, true, System.Globalization.CultureInfo.InvariantCulture) == 0 ? true : false;
}

public void LogInAccount(string UserName, string UserPassword, Label InvalidLogIn)
{
connection.ConnectionString = @"Connection String";
connection.Open();


string compare = @"Select UserName FROM UserInfo WHERE UserName=@UserName AND UserPassword=HASHBYTES('SHA2_512', @UserPassword)";

//string compare = "select ISNULL(UserName, '') As UserName, ISNULL(UserPassword, '') As UserPassword from UserInfo where UserName= @UserName";

SqlCommand CompareUser = new SqlCommand(compare, connection);
//SqlCommand Command2 = new SqlCommand("select * from SignUp where FirstName= @FirstName", connection);

//Command2.Parameters.AddWithValue("@FirsName", FirstName.Text);

CompareUser.Parameters.AddWithValue("@HASHBYTES('S HA2_512', @UserPassword)", UserPassword);

CompareUser.Parameters.AddWithValue("@UserName", UserName);

SqlDataReader dr = CompareUser.ExecuteReader();

//string User = UserName;
//string UserPassword = Password;

//HtmlAnchor LogIn = (HtmlAnchor)Master.FindControl("LogIn");
//HtmlAnchor SignUp = (HtmlAnchor)Master.FindControl("SignUp");

while (dr.Read())
{
if (this.CompareStrings(dr["UserName"].ToString(), UserName) &&
this.CompareStrings(dr["UserPassword"].ToString(), UserPassword))
{
InvalidLogIn.Visible = false;
FormsAuthentication.RedirectFromLoginPage(UserName , true);
}
else
{
InvalidLogIn.Visible = true;
}
}
connection.Close();
}

Thanks a lot