-1

I am using ASP.NET membership because this is not typical website to have that kind of authentication. I have table that Admin assigns with Uname and Password (Encrypted).

I have a LogIn page when clicked on Login button I need to search for the user in my DB table.

public void getuserinfo()
{
    String var = System.Configuration.ConfigurationManager
        .ConnectionStrings["KKSTechConnectionString"].ConnectionString;

    SqlConnection conn = new SqlConnection(var);
    SqlCommand myCmd = new SqlCommand("SELECT Username, Pass FROM Users", conn);
    conn.Open();

    if(TextBox1== Username) && (TextBox2== Password) <- I am not able to get this right :( 
    {
        //How do I get his info?? 
    }
} 

*Database table for dbo.users:*

Uname(PK) | Pass | EmpID (FK)

I want to first decrypt the password and then compare it with the TextBoxPassword..

Please help.

Yatrix
  • 13,361
  • 16
  • 48
  • 78
Girish
  • 35
  • 1
  • 11

2 Answers2

2

Another approach will be to hash the password entered at user screen and compare that with the hashed password stored at the database.

Now, use your function like this.

public void ValidateUser()
{
    var connectionString = System.Configuration.ConfigurationManager
        .ConnectionStrings["KKSTechConnectionString"].ConnectionString;
    var userName = txtUserName.Text;
    var hashedPassword = Helper.ComputeHash(txtPassword.Text, "SHA512", null);
    // this query should be parameterised when used in production to avoid SQL injection attacks
    var query = String.Format("SELECT Username, Pass FROM Users WHERE Username='{0}' AND Pass='{1}'",
                    userName,
                    hashedPassword);

    using(var connection = new SqlConnection( connectionString ))
    using(var command = new SqlCommand(query, connection ))
    {
        conn.Open();
        SqlDataReader reader=command.ExecuteReader();
        if(reader.Read())
        {

        }
        reader.Close();
    }
}
naveen
  • 53,448
  • 46
  • 161
  • 251
  • I have created a class called "helper".. This is [link](http://chandradev819.wordpress.com/2011/04/11/how-to-encrypt-and-decrypt-password-in-asp-net-using-c/) where I used hashing.. So instead of "GetMd5Hash" what do I use it here? – Girish Aug 17 '12 at 05:08
  • @naveen.. This looks good. But `if(reader.Read()) { }`, can I use Switch(query) to validate user? I mean based on roles in the table, I need to redirect the user.. – Girish Aug 17 '12 at 07:14
0

Few questions before we get to solution:

  1. How are you sending username and password from client to server side? Is it plain text?
  2. Where does encryption happens?
  3. Have you written encryption code or using one of the standards available?

In your code, I can notice following issues:

  1. You have created the connection object and command object although you have never executed the query on the database.
  2. The query you are using return entire user table which is definitely not required. You already have the user inputs for username and password so just find if they are correct.
  3. Make your query parameterized and send the input to database. There, check if the username and password match. If they do, send back user details (which you will need somewhere in the application, I suppose) or else either, throw exception or return null.

Make sure to take care of encryption/decryption before matching username and password.

danish
  • 5,550
  • 2
  • 25
  • 28
  • I have used class as mentioned [link](http://chandradev819.wordpress.com/2011/04/11/how-to-encrypt-and-decrypt-password-in-asp-net-using-c/) to Encrypt to storing it into my table dbo.Users.. I just want method to decrypt and compare values using ADO.NET to the TextBox fields.. – Girish Aug 17 '12 at 04:51