Thread: security help
View Single Post
Old March 22nd, 2019, 10:38 AM
tmiranda tmiranda is offline
Wrox Author
Points: 17, Level: 1
Points: 17, Level: 1 Points: 17, Level: 1 Points: 17, Level: 1
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
Join Date: Mar 2013
Location: Central Alabama
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts

Just at a glance, there are a couple things that jump out at me. First, you have specified HASHBYTES as the parameter name in the call to add the password parameter to the sql command. You are already creating the hash in the sql command itself when doing the compare so just pass the password as the parameter to that command. Instead of
CompareUser.Parameters.AddWithValue("@HASHBYTES('S HA2_512', @UserPassword)", UserPassword);
just do this

CompareUser.Parameters.AddWithValue("@UserPassword", UserPassword);
On another note, consider adding a salt value to your hash to make it a little more secure. In fact, if possible, make the salt unique to the user and store the salt with the user info. That way the salt is different for each record.
If that does not help, I can attempt to look a little more in depth, but that might be your problem.