getting pwds for a particulat username
- Thread starter srivalli
- Start date
Blokz
Well-known member
I would think you want to check a particular username for a password, not the other way around. It is quite possible to have several usernames with the same password, but unlikely to have multiple instances of the same username. So, with that in mind, the logic would be like this:
1) Query the table for the password for the given username. Since it is only 1 value, you could get away with using .ExecuteScalar
2) Compare the returned result with the inputted password.
3) If they match, allow access.
4) If they don't match, deny access.
HTH,
Blokz
1) Query the table for the password for the given username. Since it is only 1 value, you could get away with using .ExecuteScalar
2) Compare the returned result with the inputted password.
3) If they match, allow access.
4) If they don't match, deny access.
HTH,
Blokz
Blokz: that's very helpful information, I have same trouble as the owner of this thread.I am new to VB.NET. I use SQL server, on my login form, i have SqlDataAdapterUserLogin, SqlConnectionUserLogin and DataSetUserLogin set up visually.can u be more specific in code please?thanks!
ManicCW
Well-known member
You don't need to use dataset for login, use datareader!
VB.NET:
[SIZE=2][COLOR=#0000ff]If[/COLOR][/SIZE][SIZE=2] cn.State <> ConnectionState.Open [/SIZE][SIZE=2][COLOR=#0000ff]Then
[/COLOR][/SIZE][SIZE=2]cn.Open()
[/SIZE][SIZE=2][COLOR=#0000ff]End[/COLOR][/SIZE][SIZE=2][COLOR=#0000ff]If
[/COLOR][/SIZE][SIZE=2]cm = [/SIZE][SIZE=2][COLOR=#0000ff]New[/COLOR][/SIZE][SIZE=2] SqlCommand
cm.Connection = cnPodaci
cm.CommandType = CommandType.Text
cm.CommandText = "SELECT Username, Password FROM TableName WHERE " &_
"Username=" & [/SIZE][SIZE=2][COLOR=#0000ff]Me[/COLOR][/SIZE][SIZE=2].txtUsername.Text & " AND Password=" & [COLOR=#0000ff]Me[/COLOR][SIZE=2].txtPassword.Text[/SIZE]
dr = cm.ExecuteReader(CommandBehavior.CloseConnection)[/SIZE][SIZE=2]
dr.Read()
[/SIZE][SIZE=2][COLOR=#0000ff]If[/COLOR][/SIZE][SIZE=2] dr.HasRows [/SIZE][SIZE=2][COLOR=#0000ff]Then
[/COLOR][/SIZE][SIZE=2][COLOR=green]'let user enter app[/COLOR][/SIZE][SIZE=2]
[/SIZE][SIZE=2][COLOR=#0000ff]Else[/COLOR][/SIZE][SIZE=2][COLOR=#0000ff]
[/COLOR][/SIZE][SIZE=2][COLOR=green]'forbid access (do nothing or notify user that login info is bad)[/COLOR]
[/SIZE][SIZE=2][COLOR=#0000ff]End[/COLOR][/SIZE][SIZE=2][COLOR=#0000ff]If
[/COLOR][/SIZE][SIZE=2]dr.Close()
[/SIZE]Schenz
Well-known member
Just my 2 cents here:
It is a very bad idea to concotenate a SQL String from user input. It allows a bad user to do all sorts of nasty things to your database. Change the query to use Paramters instead as that will help protect the database.
It is a very bad idea to concotenate a SQL String from user input. It allows a bad user to do all sorts of nasty things to your database. Change the query to use Paramters instead as that will help protect the database.
Use parameters, as suggested earlier, and use ExecuteScalar instead of ExecuteReader:
It is also not a good idea to store the actual password in the database. What you can do, if security is genuinely important, is hash the password when the user creates it and then store that value. When the user logs in you would then hash the password they provide using the same algorithm and compare that to the hash value stored in the database. The advantage is that the hash value can never be used to recreate the original password. The .NET Framework has in-built support for the SHA1 and MD5 algorithms.
VB.NET:
Dim myCommand As New SqlCommand("SELECT COUNT(*) FROM Users WHERE UserID = @UserID AND Password = @Password", myConnection)
myCommand.Parameters.Add("@UserID", userIDValue)
myCommand.Parameters.Add("@Password", passwordValue)
myConnection.Open()
If CInt(myCommand.ExecuteScalar()) = 0 Then
MessageBox.Show("Login failed.")
Else
MessageBox.Show("Login successful.")
End If
myConnection.Close()qry in generating sha1 or MD5 for password
hello sir,
thank u for u response
can i get any hint for MD5 or sha1 for generating passwords
u mentioned that once the password is stored in the database is it not possible to view the password again
but what if ,if nay user forgots his password and try to retrieve it
any suggestions
thank u
hello sir,
thank u for u response
can i get any hint for MD5 or sha1 for generating passwords
u mentioned that once the password is stored in the database is it not possible to view the password again
but what if ,if nay user forgots his password and try to retrieve it
any suggestions
thank u
jmcilhinney said:
When I say that the hash value can never be used to recreate the original password I mean just that. The only thing you can do if someone forgets their password, and this is exactly what IS done, is to reset their password to something of your choosing and give them that as a new password. It's then up to the user to change that password to something new of their own choosing.
sevenhalo
Well-known member
Since we're being purists in this thread (not a bad thing 
), I thought I'd just throw this in.
Hashed values have been proven to collide. And now with rainbow cracking, it's going to become more and more common. A simple MD5 or SHA-1 won't be enough. You're going to need to add a little salt.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/f_and_m/html/vxconProtectingPasswordCredentials.asp
), I thought I'd just throw this in.Hashed values have been proven to collide. And now with rainbow cracking, it's going to become more and more common. A simple MD5 or SHA-1 won't be enough. You're going to need to add a little salt.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/f_and_m/html/vxconProtectingPasswordCredentials.asp
Schenz
Well-known member
Seven is correct. Some things that are being done now are adding multiple levels before hashing it in the database.
1. Convert the text to pure upper, or pure lower case, or a mixined case of your choosing.
2. Add additional strings to the beginning or ending of the password string (or if you want to get real fancy embed it in)
3. XOR it with a string of your choice.
4. Add the user name into it.
There are many things you can do to the string before hashing it into the database to add layers of secrity to your application. There are also many books out there on the subject now.
1. Convert the text to pure upper, or pure lower case, or a mixined case of your choosing.
2. Add additional strings to the beginning or ending of the password string (or if you want to get real fancy embed it in)
3. XOR it with a string of your choice.
4. Add the user name into it.
There are many things you can do to the string before hashing it into the database to add layers of secrity to your application. There are also many books out there on the subject now.
Similar threads
