security help
Hello I am working on a project, and I am trying to compare the user name and password credentials to log in to my website. I do have the password hashed in the database, and have a stored procedure set up. I can get it to work if the password is in plain text, but now that it is hashed for better security, I cant get it to work that way. Here is a look at my code, and any help would be greatly appreciated.
private bool CompareStrings(string string1, string string2)
{
return String.Compare(string1, string2, true, System.Globalization.CultureInfo.InvariantCulture) == 0 ? true : false;
}
public void LogInAccount(string UserName, string UserPassword, Label InvalidLogIn)
{
connection.ConnectionString = @"Connection String";
connection.Open();
string compare = @"Select UserName FROM UserInfo WHERE UserName=@UserName AND UserPassword=HASHBYTES('SHA2_512', @UserPassword)";
//string compare = "select ISNULL(UserName, '') As UserName, ISNULL(UserPassword, '') As UserPassword from UserInfo where UserName= @UserName";
SqlCommand CompareUser = new SqlCommand(compare, connection);
//SqlCommand Command2 = new SqlCommand("select * from SignUp where FirstName= @FirstName", connection);
//Command2.Parameters.AddWithValue("@FirsName", FirstName.Text);
CompareUser.Parameters.AddWithValue("@HASHBYTES('S HA2_512', @UserPassword)", UserPassword);
CompareUser.Parameters.AddWithValue("@UserName", UserName);
SqlDataReader dr = CompareUser.ExecuteReader();
//string User = UserName;
//string UserPassword = Password;
//HtmlAnchor LogIn = (HtmlAnchor)Master.FindControl("LogIn");
//HtmlAnchor SignUp = (HtmlAnchor)Master.FindControl("SignUp");
while (dr.Read())
{
if (this.CompareStrings(dr["UserName"].ToString(), UserName) &&
this.CompareStrings(dr["UserPassword"].ToString(), UserPassword))
{
InvalidLogIn.Visible = false;
FormsAuthentication.RedirectFromLoginPage(UserName , true);
}
else
{
InvalidLogIn.Visible = true;
}
}
connection.Close();
}
Thanks a lot
|
