Reputation: 1
How to validate Password from database when password is hashed
Hi I have a program where I request a username and password from a user through WPF, I then send the data to a database where it is stored.
private void btnRegister_Click(object sender, RoutedEventArgs e)
{
try
{
using (SqlConnection connection = new SqlConnection(ConnectionSQL.conn))
{
SqlCommand command = new SqlCommand("INSERT INTO USERTABLE " +
"VALUES(@Username, @Password);" +
"Select SCOPE_IDENTITY();", connection);
command.Parameters.AddWithValue("@Username", txtbUsername.Text);
command.Parameters.AddWithValue("@Password", Utils.hashPassword(txtbPassword.Text));
connection.Open();
SqlDataAdapter adapter = new SqlDataAdapter();
adapter.InsertCommand = command;
int id = Convert.ToInt32(adapter.InsertCommand.ExecuteScalar());
MessageBox.Show("User Registered! User has been added to the database: " + id);
adapter.Dispose();
String Username = txtbUsername.Text;
String Password = txtbPassword.Text;
Users temp = new Users(id, Username, Password);
Login L = new Login();
arrUsers.Add(temp);
Hide();
L.ShowDialog();
}
}
catch (SqlException ex)
{
MessageBox.Show("Error Connecting to the Database", "Connection Error" + ex.ToString());
}
}
I created a function to store the password as a hash in the database.
public class Utils
{
public static string hashPassword(String password)
{
SHA1CryptoServiceProvider sha1 = new SHA1CryptoServiceProvider();
byte[] password_bytes = Encoding.ASCII.GetBytes(password);
byte[] encrypted_bytes = sha1.ComputeHash(password_bytes);
return Convert.ToBase64String(encrypted_bytes);
}
}
When I try log in and validate password when its stored as a hash it doesnt work.
private void btnLogin_Click(object sender, RoutedEventArgs e)
{
try
{
using (SqlConnection connection = new SqlConnection(ConnectionSQL.conn))
{
connection.Open();
String Username = Convert.ToString(txtbUsername.Text);
String Password = Convert.ToString(txtbPassword.Text);
String sql = "SELECT * FROM USERTABLE where Username = '" + Username + "' " +
"AND Password = '" + Password + "' ;";
SqlCommand command = new SqlCommand(sql, connection);
SqlDataReader reader = command.ExecuteReader();
if (reader.HasRows)
{
MessageBox.Show("You Have Successfully Logged In");
MainWindow Main = new MainWindow();
txtbUsername.Text = "";
txtbPassword.Text = "";
this.Hide();
Main.ShowDialog();
this.Show();
}
else
{
MessageBox.Show("Invalid Credentials");
}
reader.Close();
command.Dispose();
}
}
catch (SqlException ex)
{
Console.WriteLine(ex.ToString());
}
Console.ReadLine();
}
Although when i dont hash the password in the database it works. Any tips on solving this?
Upvotes: 0
Views: 882
Answers (1)
Reputation: 1574
You don't compare a non hashed password with a hashed password. When getting the password from the client, you need to hash that password again, and then match the hashed values. If they match, it should return success.
Updating this should resolve it:
String Password = Convert.ToString(Utils.hashPassword(txtbPassword.Text));
But there are a lot more glaring issues here that you will need to address:
Firstly: You need to use SqlParameter to add values to your WHERE clause instead of adding the values directly into your SQL command. This is to avoid SQL Injection.
Secondly: Split your data access layer away from your application. This is a great risk if the code accessing your database is available to the client.
There are some other things I would change. But these should be good starting points.
Upvotes: 1
Related Questions
- Flow of validating a user with hashed password?
- How to validate salted and hashed password in c#
- Login with hashed password c#
- Check if entered password is hashed
- c# validating a hashed password that's stored in an SQL database
- Validating username and password in a database in asp.net
- Verify input user password matches hashed password from database on login page c# asp.net
- Compare Entered Password with Hashed password, Validation Error C# MVC
- how to verify password which is store in database as a hash value?
- Hashing and salting a password field