Rajesh
Reputation: 1620
How to Encrypt a Password and Save it in SQL Server Database
In my Project the User after the login has to Change the default Password when he logs in and that password will be stored in the Database I want to Encrypt the Password entered by the User in the Change Password Page and store it in the Database and during re-login of that User I want to Encrypt the password entered in the Login page and Check with the Saved password in Database or Fetch the Encrypted password for Decryption and Checking the Decrypted password with the Entered Password how can I do it my Change Password Code is,
SqlConnection con = new SqlConnection(@"Data Source=ESLHPC17\SQL2008;Initial Catalog=Eval;User ID=;Password=");
try
{
string Qry = "Select Password from passtable where Password='" + CurrentPassword.Text + "'";
string qry = "Select Password from passtable";
SqlCommand cmd = new SqlCommand(Qry, con);
SqlCommand cmd1 = new SqlCommand(qry, con);
con.Open();
SqlDataAdapter da = new SqlDataAdapter(cmd);
SqlDataAdapter daa = new SqlDataAdapter(cmd1);
DataTable dt = new DataTable();
DataTable dtt = new DataTable();
da.Fill(dt);
daa.Fill(dtt);
if (dtt.Rows[0]["Password"].ToString() == CurrentPassword.Text)
{
string strqry = "Update Passtable Set Password='" + EncryptString(NewPassword.Text) + "'";
SqlCommand comd = new SqlCommand(strqry, con);
comd.ExecuteNonQuery();
Label1.Visible = true;
Button1.Visible = true;
ChangeButton.Enabled = false;
}
else
{
lblMessage.Visible = true;
lblMessage.ForeColor = System.Drawing.Color.Red;
lblMessage.Text = "Current Password and Entered Password did not Match !!!";
}
}
finally
{
con.Close();
con.Dispose();
}
The Edited Code with SQL INJECTION detection
using (SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["EvalCon"].ConnectionString))
{
try
{
string Qry = "Select Password from passtable where Password='" + CurrentPassword.Text + "'";
string qry = "Select Password from passtable";
if (CurrentPassword.Text != "Select" && CurrentPassword.Text != "Create Table" && CurrentPassword.Text != "Update" && CurrentPassword.Text != "Delete" && CurrentPassword.Text != "Truncate" && CurrentPassword.Text != "Drop Table" && CurrentPassword.Text != "Insert" && CurrentPassword.Text != "@")
{
if (NewPassword.Text != "Select" && NewPassword.Text != "Create Table" && NewPassword.Text != "Update" && NewPassword.Text != "Delete" && NewPassword.Text != "Truncate" && NewPassword.Text != "Drop Table" && NewPassword.Text != "Insert" && NewPassword.Text != "@")
{
using (SqlCommand cmd = new SqlCommand(Qry, con))
{
using (SqlCommand cmd1 = new SqlCommand(qry, con))
{
con.Open();
SqlDataAdapter da = new SqlDataAdapter(cmd);
SqlDataAdapter daa = new SqlDataAdapter(cmd1);
DataTable dt = new DataTable();
DataTable dtt = new DataTable();
da.Fill(dt);
daa.Fill(dtt);
if (dtt.Rows[0]["Password"].ToString() == CurrentPassword.Text)
{
string strqry = "Update Passtable Set Password='" + NewPassword.Text + "'";
SqlCommand comd = new SqlCommand(strqry, con);
comd.ExecuteScalar()
Label1.Visible = true;
Button1.Visible = true;
ChangeButton.Enabled = false;
}
else
{
lblMessage.Visible = true;
lblMessage.ForeColor = System.Drawing.Color.Red;
lblMessage.Text = "Current Password and Entered Password did not Match !!!";
}
}
}
}
else
{
lblMessage.Visible = true;
lblMessage.ForeColor = System.Drawing.Color.Red;
lblMessage.Text = "SQL INJECTION Breach you Can't Continue!!!";
CurrentPassword.Enabled = false;
NewPassword.Enabled = false;
ConfirmNewPassword.Enabled = false;
}
}
else
{
lblMessage.Visible = true;
lblMessage.ForeColor = System.Drawing.Color.Red;
lblMessage.Text = "SQL INJECTION Breach you Can't Continue!!!";
CurrentPassword.Enabled = false;
NewPassword.Enabled = false;
ConfirmNewPassword.Enabled = false;
}
}
finally
{
con.Close();
con.Dispose();
}
}
Upvotes: 0
Views: 12145
Answers (2)
Feby
Reputation: 1
You can simplify the checking of SQLSyntax check with a class that you call when you want to check Text.
class SQLSyntaxCheck
{
internal static bool CheckSyntax ( string Text )
{
if (Text != "Select" && Text != "Create Table" && Text != "Update" && Text != "Delete" && Text != "Truncate" && Text != "Drop Table" && Text != "Insert" && Text != "@")
return true;
else return false;
}}
You can call it via SQLSyntaxCheck.CheckSyntax ( textbox1.Text.ToString() ) or whichever method comes your way.
Upvotes: 0
Remus Rusanu
Reputation: 294427
Never use user input to append to SQL text. Your code is vulnerable to SQL injection. Use parameters. Read SQL Injection right now.
- Do not store passwords in the database, even encrypted. Store a salted hash. Storing the encrypted password is an illusion of security because you will get the key management needed to decrypt the password wrong. You also talk about comparing the encrypted password which is, again, wrong, it means you do not know how to properly use a random IV in the encryption.
- Learn to use
using() {...}blocks - Learn to use appsetings/websettings for connection strings.
- Learn to use
ExecuteScalar
Upvotes: 3
Related Questions
- How to store password in encrypted format in database entered from web application?
- How to encrypt a password for saving it later in a database or text file?
- How to encrypt password? (csharp/dotnet - azure sql database)
- Password encryption
- How to save SQL server password
- Securely Storing Database Password
- Storing sensitive data in SQL server db with C#
- encryption in sql server
- How to encrypt data in sql server and decrypt it in .net apps
- Encrypt the password column in SQL Server 2008