Click here to Skip to main content
15,126,501 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
main.cs
private void btn_login_Click(object sender, RoutedEventArgs e)
{
    MySqlConnection sqlCon = new MySqlConnection("xxxxxx");
    try
    {
        if (sqlCon.State == System.Data.ConnectionState.Closed)
            sqlCon.Open();
        String query = "SELECT COUNT(1) FROM tblUser WHERE Username=@Username AND 
        Password=@Password";
        MySqlCommand sqlCmd = new MySqlCommand(query, sqlCon);
        sqlCmd.CommandType = System.Data.CommandType.Text;
        sqlCmd.Parameters.AddWithValue("@Username", txtUsername.Text);
        sqlCmd.Parameters.AddWithValue("@Password",
        utils.hashPassword(txtPassword.Text));
        int count = Convert.ToInt32(sqlCmd.ExecuteScalar());
        if (count == 1)
        {
            //Logged in
            MessageBox.Show('Logged in');
        }
        else
        {
            //Wrong details!
            MessageBox.Show('Wrong Details');
        }
    }
    catch (Exception ex)
    {
        MessageBox.Show(ex.Message);
    }
    finally
    {
        sqlCon.Close();
    }
}


utils.cs
public class utils
{
    public static string hashPassword(string password)
    {
        SHA1CryptoServiceProvider sha1 = new SHA1CryptoServiceProvider();

        byte[] password_bytes = Encoding.ASCII.GetBytes(password);
        byte[] encripted_bytes = sha1.ComputeHash(password_bytes);
        return Convert.ToBase64String(encripted_bytes);
    }
}


What happens
MessageBox.Show("Wrong Details");


What I've done
The Password in the MySQL is hashed SHA1 Hash Generator

What I have tried:

- No hashed password in database
- Hashed password in database
- SHA1 Hash Generator (Tried uppercase hashes and lowercase hashes)
Posted
Updated 30-Jul-21 8:22am
Comments
Code Fan 30-Jul-21 1:22am
   
How did you make your hash in the first place? Is it the same method you call here to generate the comparand?
CHill60 30-Jul-21 4:09am
   
OP responded without using Reply link
zTrusted WF 30-Jul-21 4:45am
   
yes
Code Fan 30-Jul-21 13:00pm
   
I agree with CHill60. It's better to store the hash in binary just so you save space & keep its length fixed for much better performance, & load it up to compare in memory. This way, you get to see what's in the bytes as well. By the way, you want to use UTF-8 for encoding, which is the Internet standard today.
CHill60 30-Jul-21 4:10am
   
If you don't use the "Reply" link when replying to a comment then the poster won't know that you've replied
CHill60 30-Jul-21 4:13am
   
Try comparing each element of the byte array separately - as in this example Password Storage: How to do it.[^]
lmoelleb 1-Aug-21 3:35am
   
Please go to YouTube and watch the video 8ZtInClXe1Q (how NOT to Store Passwords! - Computerphile). It manages to be entertaining and educating at the same time. In case you think storing a hash is good enough, then no. That is what is referred to as "Naïve attempt number 3" in the video. So yes, also avoid "Password Storage: How to do it" here on code project - it is simply not safe.

Do you know you can let people sign in with Google/Apple/Microsoft ID, facebook accounts, corporate Office 365 accounts, ... - all for free and you can even allow Office 365 from enterprises without the company the email belongs to having to do anything to allow it. It has a bit of a steep learning curve, but once you have gone through that, the code is a lot simpler than storing local accounts.

1 solution

I agree with @CHill60. It's better to store the hash in binary just so you save space & keep its length fixed for much better performance, & then load it up to compare in memory. This way, you get to see what's in the bytes as well. By the way, you want to use UTF-8 for encoding, which is the Internet standard today.

If you aren't allowed to change the schema, you still can load it up in Base64 encoding & compare it in memory, just so you see what's happening in debug mode. Visibility matters!
   

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900