Question mysql hash

[Allahmuad Abu Zhar]

So basically, i'm making a login system with vb.net and mysql. It works perfectly when i use plain text. However i wanna make it more secure by hashing the contents using sha512. If i register and hash the credentials, the hash will be added in the database. But when i try to log in, it says invalid credentials.
Here's the code if it helps somehow:

login function:

        Dim username As String = hash(usern.Text)
        Dim password As String = hash(passw.Text)
        Dim con As New MySqlConnection("host=sql7.freemysqlhosting.net; username=sql7124107; password=censored; database=sql7124107")
        Dim cmd As New MySqlCommand
        Dim dr As MySqlDataReader


        con.Open()
        cmd.Connection = con
        cmd.CommandText = "select userid, password from login where userid='" & username & "' and password='" & password & "'"
        dr = cmd.ExecuteReader
        If dr.HasRows Then
            'logged in
            Me.Hide()
            Main.Show()
        Else
            'not logged in
            errortext.Visible = True
            errortext.Text = "Invalid credentials, user dont exist."
        End If

hash function:

    Public Function hash(str As String) As String
        Try
            Dim x As New System.Security.Cryptography.SHA512CryptoServiceProvider()
            Dim bs As Byte() = System.Text.Encoding.UTF8.GetBytes(str)
            bs = x.ComputeHash(bs)
            Dim s As New System.Text.StringBuilder()
            For Each b As Byte In bs
                s.Append(b.ToString("x2").ToLower())
            Next


            Return s.ToString()
        Catch ex As Exception
            errortext.Text = ex.ToString()
            errortext.Visible = True
            errortext.ForeColor = Color.Red
        End Try
    End Function

register function:

        For Each s As String In badkeywords
            If usern.Text.Contains(s) Then
                errortext.Text = "Your name contains a offensive word"
                errortext.Visible = True
                errortext.ForeColor = Color.Red
                Return
            End If
        Next
        If Not passw.Text = TextBox1.Text Then
            errortext.Text = "Passwords doesn't match."
            errortext.Visible = True
            errortext.ForeColor = Color.Red
            Return
        End If
        Dim username As String = hash(usern.Text)
        Dim password As String = hash(passw.Text)
        Try
            Dim con As New MySqlConnection("host=sql7.freemysqlhosting.net; username=sql7124107; password=censored; database=sql7124107")
            Dim cmd As New MySqlCommand
            con.Open()
            cmd.Connection = con
            cmd.CommandText = "insert into login(userid,password) values ('" & username & "','" & password & "')"
            cmd.ExecuteNonQuery()
            errortext.Text = "Successfully registered!"
            errortext.ForeColor = Color.Green
            errortext.Visible = True
        Catch ex As Exception
            errortext.Text = ex.ToString()
            errortext.Visible = True
            errortext.ForeColor = Color.Red
        End Try

Edit:
I found that the output hash was to long. It works with sha-1 but not sha512. But i still think it should work with sha512 so if anyone could help me i would appreciate it.

 

[jmcilhinney]

I would suggest converting the hash to a base-64 string rather than hex. The output will be shorter then and it make work as is. The Convert class has methods for converting between Byte arrays and base-64 Strings.

Regardless, there's really no reason that it should not work with a long has because databases can handle long text. Have you maybe just specified the size of the column incorrectly?

By the way, in this line:

s.Append(b.ToString("x2").ToLower())

the ToLower call is pointless because the "x2" format specifier already outputs lower case. If you used "X2" then it would be upper case. That becomes a moot point if you use base-64 though.

Also, you should never use string concatenation to insert values into SQL code. You may be safe in this case because your values are known to be hexadecimal strings but why get into a bad habit when it's virtually no effort at all to use parameters in this and all other cases? If you always do it the right way then you will never accidentally do it the wrong way when it really matters.

Finally, if you're concerned enough about security to has the user name to, which is generally not done, then you should probably be salting your hashes too.

 

[Allahmuad Abu Zhar]

I found the solution, it looks like i had ( for some weird reason ) set a limit to 45 characters. And thanks for your other suggestions, you really help me out!