Wrox Programmer Forums
| Search | Today's Posts | Mark Forums Read
BOOK: Professional ASP.NET 4.5 : in C# and VB
This is the forum to discuss the Wrox book Professional ASP.NET 4.5 in C# and VB by Jason N. Gaylord, Christian Wenz, Pranav Rastogi, Todd Miranda, Scott Hanselman; ISBN: 978-1-1183-1182-0
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: Professional ASP.NET 4.5 : in C# and VB section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
  #1 (permalink)  
Old May 3rd, 2017, 07:26 PM
Authorized User
Points: 79, Level: 1
Points: 79, Level: 1 Points: 79, Level: 1 Points: 79, Level: 1
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Dec 2013
Posts: 16
Thanks: 0
Thanked 0 Times in 0 Posts
Default security help

Hello I am working on a project, and I am trying to compare the user name and password credentials to log in to my website. I do have the password hashed in the database, and have a stored procedure set up. I can get it to work if the password is in plain text, but now that it is hashed for better security, I cant get it to work that way. Here is a look at my code, and any help would be greatly appreciated.


private bool CompareStrings(string string1, string string2)
{
return String.Compare(string1, string2, true, System.Globalization.CultureInfo.InvariantCulture) == 0 ? true : false;
}

public void LogInAccount(string UserName, string UserPassword, Label InvalidLogIn)
{
connection.ConnectionString = @"Connection String";
connection.Open();


string compare = @"Select UserName FROM UserInfo WHERE UserName=@UserName AND UserPassword=HASHBYTES('SHA2_512', @UserPassword)";

//string compare = "select ISNULL(UserName, '') As UserName, ISNULL(UserPassword, '') As UserPassword from UserInfo where UserName= @UserName";

SqlCommand CompareUser = new SqlCommand(compare, connection);
//SqlCommand Command2 = new SqlCommand("select * from SignUp where FirstName= @FirstName", connection);

//Command2.Parameters.AddWithValue("@FirsName", FirstName.Text);

CompareUser.Parameters.AddWithValue("@HASHBYTES('S HA2_512', @UserPassword)", UserPassword);

CompareUser.Parameters.AddWithValue("@UserName", UserName);

SqlDataReader dr = CompareUser.ExecuteReader();

//string User = UserName;
//string UserPassword = Password;

//HtmlAnchor LogIn = (HtmlAnchor)Master.FindControl("LogIn");
//HtmlAnchor SignUp = (HtmlAnchor)Master.FindControl("SignUp");

while (dr.Read())
{
if (this.CompareStrings(dr["UserName"].ToString(), UserName) &&
this.CompareStrings(dr["UserPassword"].ToString(), UserPassword))
{
InvalidLogIn.Visible = false;
FormsAuthentication.RedirectFromLoginPage(UserName , true);
}
else
{
InvalidLogIn.Visible = true;
}
}
connection.Close();
}

Thanks a lot
  #2 (permalink)  
Old March 22nd, 2019, 10:38 AM
Wrox Author
Points: 17, Level: 1
Points: 17, Level: 1 Points: 17, Level: 1 Points: 17, Level: 1
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Mar 2013
Location: Central Alabama
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Just at a glance, there are a couple things that jump out at me. First, you have specified HASHBYTES as the parameter name in the call to add the password parameter to the sql command. You are already creating the hash in the sql command itself when doing the compare so just pass the password as the parameter to that command. Instead of
Code:
CompareUser.Parameters.AddWithValue("@HASHBYTES('S HA2_512', @UserPassword)", UserPassword);
just do this

Code:
CompareUser.Parameters.AddWithValue("@UserPassword", UserPassword);
On another note, consider adding a salt value to your hash to make it a little more secure. In fact, if possible, make the salt unique to the user and store the salt with the user info. That way the salt is different for each record.
If that does not help, I can attempt to look a little more in depth, but that might be your problem.


Similar Threads
Thread Thread Starter Forum Replies Last Post
Security MonkeyMan666 SQL Server 2005 1 January 21st, 2010 08:27 AM
Security Fed BOOK: ASP.NET 2.0 Instant Results ISBN: 978-0-471-74951-6 4 December 16th, 2009 10:34 AM
Code Access Security & Role Based Security robzyc C# 6 April 11th, 2008 02:31 AM
System.Security.SecurityException: Security error coolcatjk Pro VB.NET 2002/2003 4 March 2nd, 2006 06:00 PM
Security deys C++ Programming 0 February 2nd, 2006 02:33 AM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.