CODEWITHSUNDEEP
c#asp.net
Shamil Khan
Shamil Khan

Reputation: 35

validating password with uppercase and lowercase

This is my password textbox aspx elements:

<label for="password">Password</label>
<asp:Text Box ID="User Password" runat ="server"  Text Mode ="Password" ></asp:Text Box>

This is my code behind

protected void LoginSubmit_Click(object sender, EventArgs e)
{
    BOL ObjectBOL = new BOL();
    BAL ObjectBAL = new BAL();
    ObjectBOL.UserName_value = UserText.Text;
    ObjectBOL.UserPassword_value = UserPassword.Text;

    try
    {

        String Login = ObjectBAL.LoginBAL(ObjectBOL);
        int i = int.Parse(Login);
        if (i > 0)
        {
            Response.Redirect("dashboard.aspx", false);
        }
        else
        {
            //UserText.Text = "";
            //UserPassword.Text = "";
            lblMsg.Text = (" Login Failed.... Try Again...");
        }
    }
    catch (Exception LoginException)
    {
        throw LoginException;
    }
    finally
    {
        ObjectBAL = null;
    }
}

When the user enters the password in upper case or lower case letters it was accepting the value and redirecting to the next page. 

 SqlCommand cmd = new SqlCommand ("select  count (*) from UserTable where User_Name='" + Login.UserName_value +
                    "'and User_Password='" + Login.UserPassword_value + "'", con);
                string str = cmd.ExecuteScalar().ToString();
                return str;

Upvotes: 2

Views: 4386

Answers (6)

user11441779
user11441779

Reputation:

You need to change your sql query only. no need to change table nature and anything else.

SqlCommand cmd = new SqlCommand ("select count(*) from UserTable where User_Name COLLATE Latin1_general_CS_AS ='" + Login.UserName_value + "'and User_Password COLLATE Latin1_general_CS_AS ='" + Login.UserPassword_value + "'", con);
con.Open();
string str = cmd.ExecuteScalar().ToString();
con.Close();
return str;

Upvotes: 1

Arunprasanth K V
Arunprasanth K V

Reputation: 21931

SqlCommand cmd = new SqlCommand ("select COUNT(*) from UserTable where (CAST(User_Name as varbinary(50))=cast('"+ Login.UserName_value+"' as varbinary))  and (CAST(User_Password as varbinary(50))=cast('"+Login.UserPassword_value+"' as varbinary)),con);
con.Open();
string str = cmd.ExecuteScalar().ToString();
con.Close();
return str;

try this this will work

Upvotes: 0

yogi970
yogi970

Reputation: 446

There are two solution for this problem

  1. Change your database table nature .By default SQL server do the case insensitive comparison you need to alter your db table.

    ALTER TABLE UserTable ALTER COLUMN User_Password VARCHAR(20) COLLATE Latin1_General_CS_AS

Or you can append COLLATE Latin1_General_CS_AS to every query at last without altering your table.

Latin1_General_CS_AS is for case sensitive and Latin1_General_CI_AS for case insensitive comparison

how to make case sensitive comparison in SQL Server

  1. Or you can convert your password in binary then store in db and compare binary content from db and user entered password.

Suggestion

  1. You can go with first solution it will take less time. but second solution is more secure then first one. Do read about this on google. you will find the cons of the directly storing password in plain text.

  2. As mentioned in comment your code is vulnerable to SQL Injection attack. Use parametrize query instead.

Upvotes: 2

Viswas Menon
Viswas Menon

Reputation: 310

Please refer the below link, I think as mentioned above collate is the way to go about.

http://www.mytecbits.com/microsoft/sql-server/case-sensitive-search-fetching-lowercase-or-uppercase-string

Upvotes: 0

Paul
Paul

Reputation: 36349

So I see a couple issues here that you should really look at, let me address those then I'll help with the question you asked.

First, as mentioned in the comments by @Erik Philips, you should be using parameterized queries rather than string concatenation.

Second, you really should be hashing your passwords using a strong hashing algorithm, so if/when your DB gets compromised, you don't divulge all your user's passwords to the attacker.

Ok, as for the actual question at hand you have two options. The far more common solution I've seen is to do the Select just based on the user name, then compare the hashed passwords in C# code to determine whether the user should be logged in or not.

The other option would be to use a case sensitive query in SQL, which in SQL Server requires you to assign a collation via the COLLATE command (either to the query or to the column), perhaps assigning it to whichever relevant character set you want: http://msdn.microsoft.com/en-us/library/ms144250(v=sql.105).aspx

Upvotes: 1

SpiderCode
SpiderCode

Reputation: 10122

Update your SQL Command query with COLLATE Latin1_General_CS_AS as mentioned below to compare string with case sensitive: 

SqlCommand cmd = new SqlCommand ("select  count (*) from UserTable where User_Name='" + Login.UserName_value +
                    "' and User_Password='" + Login.UserPassword_value + "' COLLATE Latin1_General_CS_AS", con);
string str = cmd.ExecuteScalar().ToString();
return str;

Upvotes: 1

Related Questions