Hello,

I am creating a sign on screen for my application in which I want to store
the username and password in a database table. I was thinking of putting a
combo box connected to the database to pull up the usernames and then having
a textbox for the user to enter their password.

Can someone tell me please how to compare the contents of the textbox to the
password in the database?

Thank you,
Kevin

"Kevin O'Brien" <(E-Mail Removed)> wrote in
news:(E-Mail Removed):

> I am creating a sign on screen for my application in which I want to
> store the username and password in a database table. I was thinking
> of putting a combo box connected to the database to pull up the
> usernames and then having a textbox for the user to enter their
> password.

Rather prompt for the username/password - then run the query:

SELECT COUNT(1) FROM USERS WHERE UserName = @UserName AND Password =
@Password

Use SQLParameters to avoid injection attacks.

Hi,

So you are saying I should created 2 unbound textboxes to prompt for
username and password and name the textboxes UserName and Password? Then I
can run this SQL select statement right from my VB code?

Sorry for the simple questions but this is my first crack at querying a
database from VB.

Thanks,
Kevin




"Spam Catcher" <(E-Mail Removed)> wrote in message
news:Xns984A9B63C359usenethoneypotrogers@127.0.0.1...
> "Kevin O'Brien" <(E-Mail Removed)> wrote in
> news:(E-Mail Removed):
>
>> I am creating a sign on screen for my application in which I want to
>> store the username and password in a database table. I was thinking
>> of putting a combo box connected to the database to pull up the
>> usernames and then having a textbox for the user to enter their
>> password.
>
> Rather prompt for the username/password - then run the query:
>
> SELECT COUNT(1) FROM USERS WHERE UserName = @UserName AND Password =
> @Password
>
> Use SQLParameters to avoid injection attacks.
>

"Kevin O'Brien" <(E-Mail Removed)> wrote in
news:(E-Mail Removed):

> So you are saying I should created 2 unbound textboxes to prompt for
> username and password and name the textboxes UserName and Password?
> Then I can run this SQL select statement right from my VB code?

Exactly ; )


To query the DB, you can do:

Dim Command As New SqlClient.SqlCommand
Command.Connection = MyConnectionObject
Command.CommandText = "SELECT COUNT(1) FROM TABLE WHERE UserName =
@UserName AND Password = @Password"

Command.Parameters.Add(New SqlClient.SqlParameter("@UserName",
txtUserName.text))
Command.Parameters.Add(New SqlClient.SqlParameter("@UserName",
txtPassword.text))

'If count > 0 means username + password matched
If Command.ExecuteScalar > 0 Then
MsgBox("Successful Login")
Else
MsgBox("Try Again")
End If

I'll give it a shot!

Thank you,
Kevin


"Spam Catcher" <(E-Mail Removed)> wrote in message
news:Xns984AAA0C02FA8usenethoneypotrogers@127.0.0.1...
> "Kevin O'Brien" <(E-Mail Removed)> wrote in
> news:(E-Mail Removed):
>
>> So you are saying I should created 2 unbound textboxes to prompt for
>> username and password and name the textboxes UserName and Password?
>> Then I can run this SQL select statement right from my VB code?
>
> Exactly ; )
>
>
> To query the DB, you can do:
>
> Dim Command As New SqlClient.SqlCommand
> Command.Connection = MyConnectionObject
> Command.CommandText = "SELECT COUNT(1) FROM TABLE WHERE UserName =
> @UserName AND Password = @Password"
>
> Command.Parameters.Add(New SqlClient.SqlParameter("@UserName",
> txtUserName.text))
> Command.Parameters.Add(New SqlClient.SqlParameter("@UserName",
> txtPassword.text))
>
> 'If count > 0 means username + password matched
> If Command.ExecuteScalar > 0 Then
> MsgBox("Successful Login")
> Else
> MsgBox("Try Again")
> End If

Kevin O'Brien wrote:
> I'll give it a shot!
>
> Thank you,
> Kevin
>
>
> "Spam Catcher" <(E-Mail Removed)> wrote in message
> news:Xns984AAA0C02FA8usenethoneypotrogers@127.0.0.1...
>
>>"Kevin O'Brien" <(E-Mail Removed)> wrote in
>>news:(E-Mail Removed):
>>
>>
>>>So you are saying I should created 2 unbound textboxes to prompt for
>>>username and password and name the textboxes UserName and Password?
>>>Then I can run this SQL select statement right from my VB code?
>>
>>Exactly ; )
>>
>>
>>To query the DB, you can do:
>>
>>Dim Command As New SqlClient.SqlCommand
>>Command.Connection = MyConnectionObject
>>Command.CommandText = "SELECT COUNT(1) FROM TABLE WHERE UserName =
>>@UserName AND Password = @Password"
>>
>>Command.Parameters.Add(New SqlClient.SqlParameter("@UserName",
>>txtUserName.text))
>>Command.Parameters.Add(New SqlClient.SqlParameter("@UserName",
>>txtPassword.text))
>>
>>'If count > 0 means username + password matched
>>If Command.ExecuteScalar > 0 Then
>> MsgBox("Successful Login")
>>Else
>> MsgBox("Try Again")
>>End If
>
>
>

Just a thought: Giving all registered names is not a good idea from a
security standpoint. Just give 2 boxes (username and password) and when
they don't match tell them there's a login error, don't tell them which
of the 2 doesn't match. Also, don't store the password. Store the hash
of the password.


--
Rinze van Huizen
C-Services Holland b.v

Izzy posted this a couple days ago.
I havnt used it yet, but I will in about a week. - He says it works great

You can store the Password in the access database,
the following code will encrypt it 128 bits

Miro
===== here is his post

Here it is, I have no idea how it works, but it works great. I use it
to encrypt passwords stored in an access file.

To call it:

'This will encrypt a value
Variable = EncryptString128Bit(txt_Password.Text, EncryptionKey)

'This will decrypt a value
Variable = DecryptString128Bit([Password stored in DB goes here],
EncryptionKey)

Have fun,
Izzy

****************************************************************************

Imports System.Security.Cryptography
Imports System.Text

Module mod_Globals

Public EncryptionKey As String = "justsomewordstobeusedasacryptionkey"

Public Function EncryptString128Bit(ByVal vstrTextToBeEncrypted As
String, ByVal vstrEncryptionKey As String) As String

Dim bytValue() As Byte
Dim bytKey() As Byte
Dim bytEncoded() As Byte
Dim bytIV() As Byte = {121, 241, 10, 1, 132, 74, 11, 39, 255,
91, 45, 78, 14, 211, 22, 62}
Dim intLength As Integer
Dim intRemaining As Integer
Dim objMemoryStream As New MemoryStream
Dim objCryptoStream As CryptoStream
Dim objRijndaelManaged As RijndaelManaged

vstrTextToBeEncrypted =
StripNullCharacters(vstrTextToBeEncrypted)

bytValue =
Encoding.ASCII.GetBytes(vstrTextToBeEncrypted.ToCharArray)

intLength = Len(vstrEncryptionKey)

If intLength >= 32 Then
vstrEncryptionKey = Strings.Left(vstrEncryptionKey, 32)
Else
intLength = Len(vstrEncryptionKey)
intRemaining = 32 - intLength
vstrEncryptionKey = vstrEncryptionKey &
Strings.StrDup(intRemaining, "X")
End If

bytKey = Encoding.ASCII.GetBytes(vstrEncryptionKey.ToCharArray)

objRijndaelManaged = New RijndaelManaged

Try
objCryptoStream = New CryptoStream(objMemoryStream,
objRijndaelManaged.CreateEncryptor(bytKey, bytIV),
CryptoStreamMode.Write)
objCryptoStream.Write(bytValue, 0, bytValue.Length)
objCryptoStream.FlushFinalBlock()
bytEncoded = objMemoryStream.ToArray
objMemoryStream.Close()
objCryptoStream.Close()
Catch

End Try

Return Convert.ToBase64String(bytEncoded)

End Function

Public Function DecryptString128Bit(ByVal vstrStringToBeDecrypted
As String, ByVal vstrDecryptionKey As String) As String

Dim bytDataToBeDecrypted() As Byte
Dim bytTemp() As Byte
Dim bytIV() As Byte = {121, 241, 10, 1, 132, 74, 11, 39, 255,
91, 45, 78, 14, 211, 22, 62}
Dim objRijndaelManaged As New RijndaelManaged
Dim objMemoryStream As MemoryStream
Dim objCryptoStream As CryptoStream
Dim bytDecryptionKey() As Byte
Dim intLength As Integer
Dim intRemaining As Integer
Dim intCtr As Integer
Dim strReturnString As String = String.Empty
Dim achrCharacterArray() As Char
Dim intIndex As Integer

bytDataToBeDecrypted =
Convert.FromBase64String(vstrStringToBeDecrypted)

intLength = Len(vstrDecryptionKey)

If intLength >= 32 Then
vstrDecryptionKey = Strings.Left(vstrDecryptionKey, 32)
Else
intLength = Len(vstrDecryptionKey)
intRemaining = 32 - intLength
vstrDecryptionKey = vstrDecryptionKey &
Strings.StrDup(intRemaining, "X")
End If

bytDecryptionKey =
Encoding.ASCII.GetBytes(vstrDecryptionKey.ToCharArray)

ReDim bytTemp(bytDataToBeDecrypted.Length)

objMemoryStream = New MemoryStream(bytDataToBeDecrypted)

Try

objCryptoStream = New CryptoStream(objMemoryStream,
objRijndaelManaged.CreateDecryptor(bytDecryptionKey, bytIV),
CryptoStreamMode.Read)
objCryptoStream.Read(bytTemp, 0, bytTemp.Length)
objCryptoStream.FlushFinalBlock()
objMemoryStream.Close()
objCryptoStream.Close()

Catch

End Try

Return StripNullCharacters(Encoding.ASCII.GetString(bytTemp))

End Function


Public Function StripNullCharacters(ByVal vstrStringWithNulls As
String) As String

Dim intPosition As Integer
Dim strStringWithOutNulls As String

intPosition = 1
strStringWithOutNulls = vstrStringWithNulls

Do While intPosition > 0
intPosition = InStr(intPosition, vstrStringWithNulls,
vbNullChar)

If intPosition > 0 Then
strStringWithOutNulls = Left$(strStringWithOutNulls,
intPosition - 1) & _
Right$(strStringWithOutNulls,
Len(strStringWithOutNulls) - intPosition)
End If

If intPosition > strStringWithOutNulls.Length Then
Exit Do
End If
Loop

Return strStringWithOutNulls

End Function

End Module

****************************************************************************************
==================

"C-Services Holland b.v." <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Kevin O'Brien wrote:
>> I'll give it a shot!
>>
>> Thank you,
>> Kevin
>>
>>
>> "Spam Catcher" <(E-Mail Removed)> wrote in message
>> news:Xns984AAA0C02FA8usenethoneypotrogers@127.0.0.1...
>>
>>>"Kevin O'Brien" <(E-Mail Removed)> wrote in
>>>news:(E-Mail Removed):
>>>
>>>
>>>>So you are saying I should created 2 unbound textboxes to prompt for
>>>>username and password and name the textboxes UserName and Password?
>>>>Then I can run this SQL select statement right from my VB code?
>>>
>>>Exactly ; )
>>>
>>>
>>>To query the DB, you can do:
>>>
>>>Dim Command As New SqlClient.SqlCommand
>>>Command.Connection = MyConnectionObject
>>>Command.CommandText = "SELECT COUNT(1) FROM TABLE WHERE UserName =
>>>@UserName AND Password = @Password"
>>>
>>>Command.Parameters.Add(New SqlClient.SqlParameter("@UserName",
>>>txtUserName.text))
>>>Command.Parameters.Add(New SqlClient.SqlParameter("@UserName",
>>>txtPassword.text))
>>>
>>>'If count > 0 means username + password matched
>>>If Command.ExecuteScalar > 0 Then
>>> MsgBox("Successful Login")
>>>Else
>>> MsgBox("Try Again")
>>>End If
>>
>>
>>
>
> Just a thought: Giving all registered names is not a good idea from a
> security standpoint. Just give 2 boxes (username and password) and when
> they don't match tell them there's a login error, don't tell them which of
> the 2 doesn't match. Also, don't store the password. Store the hash of the
> password.
>
>
> --
> Rinze van Huizen
> C-Services Holland b.v

Hey,

I created a new form with two textboxes - txtUserName and txtPassword - and
a command button.
I have a database called signon.mdf with a table called users.

When I pasted this code in the buttom click event I have two errors:
Command.Connection = MyConnectionObject - MyConnectionObject is not
declared.
And on the @ symbol on the select statement.

Can you please tell me what I am going wrong?

thank you!!
Kevin



"Spam Catcher" <(E-Mail Removed)> wrote in message
news:Xns984AAA0C02FA8usenethoneypotrogers@127.0.0.1...
> "Kevin O'Brien" <(E-Mail Removed)> wrote in
> news:(E-Mail Removed):
>
>> So you are saying I should created 2 unbound textboxes to prompt for
>> username and password and name the textboxes UserName and Password?
>> Then I can run this SQL select statement right from my VB code?
>
> Exactly ; )
>
>
> To query the DB, you can do:
>
> Dim Command As New SqlClient.SqlCommand
> Command.Connection = MyConnectionObject
> Command.CommandText = "SELECT COUNT(1) FROM TABLE WHERE UserName =
> @UserName AND Password = @Password"
>
> Command.Parameters.Add(New SqlClient.SqlParameter("@UserName",
> txtUserName.text))
> Command.Parameters.Add(New SqlClient.SqlParameter("@UserName",
> txtPassword.text))
>
> 'If count > 0 means username + password matched
> If Command.ExecuteScalar > 0 Then
> MsgBox("Successful Login")
> Else
> MsgBox("Try Again")
> End If

Typically with passwords, you don't need to be able to decrypt it, thus a
one way hash can be sufficient. Just compare the hashes rather than the plain
text values. Give your users a mechanism to have their password reset and
email them the new password to the email they registered when they created
the account if they forget it.

Here's some quick code (based on the security snippet) to hash a password
Public Function HashPassword(password As String) as string
Dim sha1CryptoService As SHA1CryptoServiceProvider = New SHA1CryptoServiceProvider()
Dim byteValue() As Byte = Encoding.UTF8.GetBytes(password)
Dim hashValue() As Byte = sha1CryptoService.ComputeHash(byteValue)
return System.Text.Encoding.UTF8.GetString(hashValue)
End Function

Note, you can easily substitute the MD5 for SHA1 if you want.
Jim Wooley
http://devauthority.com/blogs/jwooley

Hey,

I have the errors worked out except for:
Command.Connection = MyConnectionObject

I get the error:

'MyConnectionObject' is not declared.



I tried putting in the name of the data set in place of Myconnectionobject
but that didn't work either. any help would be greatly appreciated!

Thanks,

Kevin





"Spam Catcher" <(E-Mail Removed)> wrote in message
news:Xns984AAA0C02FA8usenethoneypotrogers@127.0.0.1...
> "Kevin O'Brien" <(E-Mail Removed)> wrote in
> news:(E-Mail Removed):
>
>> So you are saying I should created 2 unbound textboxes to prompt for
>> username and password and name the textboxes UserName and Password?
>> Then I can run this SQL select statement right from my VB code?
>
> Exactly ; )
>
>
> To query the DB, you can do:
>
> Dim Command As New SqlClient.SqlCommand
> Command.Connection = MyConnectionObject
> Command.CommandText = "SELECT COUNT(1) FROM TABLE WHERE UserName =
> @UserName AND Password = @Password"
>
> Command.Parameters.Add(New SqlClient.SqlParameter("@UserName",
> txtUserName.text))
> Command.Parameters.Add(New SqlClient.SqlParameter("@UserName",
> txtPassword.text))
>
> 'If count > 0 means username + password matched
> If Command.ExecuteScalar > 0 Then
> MsgBox("Successful Login")
> Else
> MsgBox("Try Again")
> End If