Prolem in password encraption

Question

1.00/5 (1 vote)

See more:

When i am using

C#

string EncraptedPassword = FormsAuthentication.HashPasswordForStoringInConfigFile(txtPassword.Text, "SHA1");

then my password is encrypted and saved in sql database but problem is the password that is saved in sql server database table is not full length(means when i'm using tooltip in asp.net at that time encrapted password lenght is bigger but not it is saving only half of length password in database table)

when i'm going to login and encrapting password using same HashPassword.....
at that time it is not login because password is not matching.

What I have tried:

C#

string uname = txtUsername.Text;
string pass = FormsAuthentication.HashPasswordForStoringInConfigFile(txtPassword.Text.Trim(), "SHA1");
            con.Open();
            string qry = "select * from tblUser where Email='" + uname + "' and Pasword='" + pass + "'";
            SqlCommand cmd = new SqlCommand(qry, con);
            SqlDataReader sdr = cmd.ExecuteReader();
            if (sdr.Read())
            {
                Response.Redirect("~/Home.aspx");
            }
            else
            {
                lblMeg.Visible = true;
            }

Posted 27-Sep-17 21:35pm

Member 12611488

Updated 28-Sep-17 2:26am

Thanks7872

v2

Add a Solution

2 solutions

Solution 2

First, it's "encryption", not "encraption". Well, unless your encasing passwords in literal "crap".

Hashing a password, or anything else, is not encrypting it. In your case, you're using a cryptographic hash, a mathematical representation of the original object that cannot be undone. You cannot decrypt a hash to get the original value back.

Hashing does not mean you're going to get the same number of bytes out as the original object. Chances are good that you're going to get a different number of bytes than the original object contained.

With "encyption", you can get the original object back. DO NOT USE PLAIN TEXT OR ENCRYPTION TO STORE PASSWORDS!! Always use a cryptographic hash and store the hashed value.

Posted 28-Sep-17 2:26am

Dave Kreskowiak

Comments

Member 12611488 28-Sep-17 13:29pm

Can you please provide me solution so that i can do this because i'm new in programming word
Thanks in Advance

Dave Kreskowiak 28-Sep-17 17:13pm

This is documented all over the place. Take your pick of these articles[^].

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Accepted Answer · 2017-09-27T21:56:00

Don't do it like that. Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.

When you concatenate strings, you cause problems because SQL receives commands like:

SQL

SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'

The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:

SQL

SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'

Which SQL sees as three separate commands:

SQL

SELECT * FROM MyTable WHERE StreetAddress = 'x';

A perfectly valid SELECT

SQL

DROP TABLE MyTable;

A perfectly valid "delete the table" command

SQL

--'

And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.

So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?

This is particularly important in login systems, because they allow me do do this without logging in, or to bypass your login procedure completely by entering my username as

admin';--

Which means that I don't need a password.
In addition, you are storing the password as a string, which is wasteful and unnecessary.
Store it as a VARBINARY column, send the hashed value directly, and when you want to check, you use the userID to retrieve the hashed bytes via a parameterised query. Your C# code then compares the hashes and decides if the user is authorised.