Wrox Programmer Forums

Need to download code?

View our list of code downloads.

| FAQ | Members List | Search | Today's Posts | Mark Forums Read
BOOK: Professional ASP.NET 4.5 : in C# and VB
This is the forum to discuss the Wrox book Professional ASP.NET 4.5 in C# and VB by Jason N. Gaylord, Christian Wenz, Pranav Rastogi, Todd Miranda, Scott Hanselman; ISBN: 978-1-1183-1182-0
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: Professional ASP.NET 4.5 : in C# and VB section of the Wrox Programmer to Programmer discussions. This is a community of tens of thousands of software programmers and website developers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining today you can post your own programming questions, respond to other developers’ questions, and eliminate the ads that are displayed to guests. Registration is fast, simple and absolutely free .
DRM-free e-books 300x50
Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old May 3rd, 2017, 07:26 PM
Authorized User
Points: 79, Level: 1
Points: 79, Level: 1 Points: 79, Level: 1 Points: 79, Level: 1
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
Join Date: Dec 2013
Posts: 16
Thanks: 0
Thanked 0 Times in 0 Posts
Default security help

Hello I am working on a project, and I am trying to compare the user name and password credentials to log in to my website. I do have the password hashed in the database, and have a stored procedure set up. I can get it to work if the password is in plain text, but now that it is hashed for better security, I cant get it to work that way. Here is a look at my code, and any help would be greatly appreciated.

private bool CompareStrings(string string1, string string2)
return String.Compare(string1, string2, true, System.Globalization.CultureInfo.InvariantCulture) == 0 ? true : false;

public void LogInAccount(string UserName, string UserPassword, Label InvalidLogIn)
connection.ConnectionString = @"Connection String";

string compare = @"Select UserName FROM UserInfo WHERE UserName=@UserName AND UserPassword=HASHBYTES('SHA2_512', @UserPassword)";

//string compare = "select ISNULL(UserName, '') As UserName, ISNULL(UserPassword, '') As UserPassword from UserInfo where UserName= @UserName";

SqlCommand CompareUser = new SqlCommand(compare, connection);
//SqlCommand Command2 = new SqlCommand("select * from SignUp where FirstName= @FirstName", connection);

//Command2.Parameters.AddWithValue("@FirsName", FirstName.Text);

CompareUser.Parameters.AddWithValue("@HASHBYTES('S HA2_512', @UserPassword)", UserPassword);

CompareUser.Parameters.AddWithValue("@UserName", UserName);

SqlDataReader dr = CompareUser.ExecuteReader();

//string User = UserName;
//string UserPassword = Password;

//HtmlAnchor LogIn = (HtmlAnchor)Master.FindControl("LogIn");
//HtmlAnchor SignUp = (HtmlAnchor)Master.FindControl("SignUp");

while (dr.Read())
if (this.CompareStrings(dr["UserName"].ToString(), UserName) &&
this.CompareStrings(dr["UserPassword"].ToString(), UserPassword))
InvalidLogIn.Visible = false;
FormsAuthentication.RedirectFromLoginPage(UserName , true);
InvalidLogIn.Visible = true;

Thanks a lot
Reply With Quote
  #2 (permalink)  
Old March 22nd, 2019, 10:38 AM
Wrox Author
Points: 17, Level: 1
Points: 17, Level: 1 Points: 17, Level: 1 Points: 17, Level: 1
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
Join Date: Mar 2013
Location: Central Alabama
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts

Just at a glance, there are a couple things that jump out at me. First, you have specified HASHBYTES as the parameter name in the call to add the password parameter to the sql command. You are already creating the hash in the sql command itself when doing the compare so just pass the password as the parameter to that command. Instead of
CompareUser.Parameters.AddWithValue("@HASHBYTES('S HA2_512', @UserPassword)", UserPassword);
just do this

CompareUser.Parameters.AddWithValue("@UserPassword", UserPassword);
On another note, consider adding a salt value to your hash to make it a little more secure. In fact, if possible, make the salt unique to the user and store the salt with the user info. That way the salt is different for each record.
If that does not help, I can attempt to look a little more in depth, but that might be your problem.
Reply With Quote

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Security MonkeyMan666 SQL Server 2005 1 January 21st, 2010 08:27 AM
Security Fed BOOK: ASP.NET 2.0 Instant Results ISBN: 978-0-471-74951-6 4 December 16th, 2009 10:34 AM
Code Access Security & Role Based Security robzyc C# 6 April 11th, 2008 02:31 AM
System.Security.SecurityException: Security error coolcatjk Pro VB.NET 2002/2003 4 March 2nd, 2006 06:00 PM
Security deys C++ Programming 0 February 2nd, 2006 02:33 AM

All times are GMT -4. The time now is 06:05 AM.

Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.