check username and password in database

[Kevin O'Brien]

Hello,

I am creating a sign on screen for my application in which I want to store
the username and password in a database table. I was thinking of putting a
combo box connected to the database to pull up the usernames and then having
a textbox for the user to enter their password.

Can someone tell me please how to compare the contents of the textbox to the
password in the database?

Thank you,
Kevin

 

[Guest]

I am creating a sign on screen for my application in which I want to
store the username and password in a database table. I was thinking
of putting a combo box connected to the database to pull up the
usernames and then having a textbox for the user to enter their
password.

Rather prompt for the username/password - then run the query:

SELECT COUNT(1) FROM USERS WHERE UserName = @UserName AND Password =
@Password

Use SQLParameters to avoid injection attacks.

 

[Kevin O'Brien]

Hi,

So you are saying I should created 2 unbound textboxes to prompt for
username and password and name the textboxes UserName and Password? Then I
can run this SQL select statement right from my VB code?

Sorry for the simple questions but this is my first crack at querying a
database from VB.

Thanks,
Kevin

 

[Guest]

So you are saying I should created 2 unbound textboxes to prompt for
username and password and name the textboxes UserName and Password?
Then I can run this SQL select statement right from my VB code?

Exactly ; )


To query the DB, you can do:

Dim Command As New SqlClient.SqlCommand
Command.Connection = MyConnectionObject
Command.CommandText = "SELECT COUNT(1) FROM TABLE WHERE UserName =
@UserName AND Password = @Password"

Command.Parameters.Add(New SqlClient.SqlParameter("@UserName",
txtUserName.text))
Command.Parameters.Add(New SqlClient.SqlParameter("@UserName",
txtPassword.text))

'If count > 0 means username + password matched
If Command.ExecuteScalar > 0 Then
MsgBox("Successful Login")
Else
MsgBox("Try Again")
End If

 

[Kevin O'Brien]

I'll give it a shot!

Thank you,
Kevin

Exactly ; )


To query the DB, you can do:

Dim Command As New SqlClient.SqlCommand
Command.Connection = MyConnectionObject
Command.CommandText = "SELECT COUNT(1) FROM TABLE WHERE UserName =
@UserName AND Password = @Password"

Command.Parameters.Add(New SqlClient.SqlParameter("@UserName",
txtUserName.text))
Command.Parameters.Add(New SqlClient.SqlParameter("@UserName",
txtPassword.text))

'If count > 0 means username + password matched
If Command.ExecuteScalar > 0 Then
MsgBox("Successful Login")
Else
MsgBox("Try Again")
End If

 

[C-Services Holland b.v.]

I'll give it a shot!

Thank you,
Kevin

Just a thought: Giving all registered names is not a good idea from a
security standpoint. Just give 2 boxes (username and password) and when
they don't match tell them there's a login error, don't tell them which
of the 2 doesn't match. Also, don't store the password. Store the hash
of the password.

 

[Miro]

Izzy posted this a couple days ago.
I havnt used it yet, but I will in about a week. - He says it works great

You can store the Password in the access database,
the following code will encrypt it 128 bits

Miro
===== here is his post

Here it is, I have no idea how it works, but it works great. I use it
to encrypt passwords stored in an access file.

To call it:

'This will encrypt a value
Variable = EncryptString128Bit(txt_Password.Text, EncryptionKey)

'This will decrypt a value
Variable = DecryptString128Bit([Password stored in DB goes here],
EncryptionKey)

Have fun,
Izzy

****************************************************************************

Imports System.Security.Cryptography
Imports System.Text

Module mod_Globals

Public EncryptionKey As String = "justsomewordstobeusedasacryptionkey"

Public Function EncryptString128Bit(ByVal vstrTextToBeEncrypted As
String, ByVal vstrEncryptionKey As String) As String

Dim bytValue() As Byte
Dim bytKey() As Byte
Dim bytEncoded() As Byte
Dim bytIV() As Byte = {121, 241, 10, 1, 132, 74, 11, 39, 255,
91, 45, 78, 14, 211, 22, 62}
Dim intLength As Integer
Dim intRemaining As Integer
Dim objMemoryStream As New MemoryStream
Dim objCryptoStream As CryptoStream
Dim objRijndaelManaged As RijndaelManaged

vstrTextToBeEncrypted =
StripNullCharacters(vstrTextToBeEncrypted)

bytValue =
Encoding.ASCII.GetBytes(vstrTextToBeEncrypted.ToCharArray)

intLength = Len(vstrEncryptionKey)

If intLength >= 32 Then
vstrEncryptionKey = Strings.Left(vstrEncryptionKey, 32)
Else
intLength = Len(vstrEncryptionKey)
intRemaining = 32 - intLength
vstrEncryptionKey = vstrEncryptionKey &
Strings.StrDup(intRemaining, "X")
End If

bytKey = Encoding.ASCII.GetBytes(vstrEncryptionKey.ToCharArray)

objRijndaelManaged = New RijndaelManaged

Try
objCryptoStream = New CryptoStream(objMemoryStream,
objRijndaelManaged.CreateEncryptor(bytKey, bytIV),
CryptoStreamMode.Write)
objCryptoStream.Write(bytValue, 0, bytValue.Length)
objCryptoStream.FlushFinalBlock()
bytEncoded = objMemoryStream.ToArray
objMemoryStream.Close()
objCryptoStream.Close()
Catch

End Try

Return Convert.ToBase64String(bytEncoded)

End Function

Public Function DecryptString128Bit(ByVal vstrStringToBeDecrypted
As String, ByVal vstrDecryptionKey As String) As String

Dim bytDataToBeDecrypted() As Byte
Dim bytTemp() As Byte
Dim bytIV() As Byte = {121, 241, 10, 1, 132, 74, 11, 39, 255,
91, 45, 78, 14, 211, 22, 62}
Dim objRijndaelManaged As New RijndaelManaged
Dim objMemoryStream As MemoryStream
Dim objCryptoStream As CryptoStream
Dim bytDecryptionKey() As Byte
Dim intLength As Integer
Dim intRemaining As Integer
Dim intCtr As Integer
Dim strReturnString As String = String.Empty
Dim achrCharacterArray() As Char
Dim intIndex As Integer

bytDataToBeDecrypted =
Convert.FromBase64String(vstrStringToBeDecrypted)

intLength = Len(vstrDecryptionKey)

If intLength >= 32 Then
vstrDecryptionKey = Strings.Left(vstrDecryptionKey, 32)
Else
intLength = Len(vstrDecryptionKey)
intRemaining = 32 - intLength
vstrDecryptionKey = vstrDecryptionKey &
Strings.StrDup(intRemaining, "X")
End If

bytDecryptionKey =
Encoding.ASCII.GetBytes(vstrDecryptionKey.ToCharArray)

ReDim bytTemp(bytDataToBeDecrypted.Length)

objMemoryStream = New MemoryStream(bytDataToBeDecrypted)

Try

objCryptoStream = New CryptoStream(objMemoryStream,
objRijndaelManaged.CreateDecryptor(bytDecryptionKey, bytIV),
CryptoStreamMode.Read)
objCryptoStream.Read(bytTemp, 0, bytTemp.Length)
objCryptoStream.FlushFinalBlock()
objMemoryStream.Close()
objCryptoStream.Close()

Catch

End Try

Return StripNullCharacters(Encoding.ASCII.GetString(bytTemp))

End Function


Public Function StripNullCharacters(ByVal vstrStringWithNulls As
String) As String

Dim intPosition As Integer
Dim strStringWithOutNulls As String

intPosition = 1
strStringWithOutNulls = vstrStringWithNulls

Do While intPosition > 0
intPosition = InStr(intPosition, vstrStringWithNulls,
vbNullChar)

If intPosition > 0 Then
strStringWithOutNulls = Left$(strStringWithOutNulls,
intPosition - 1) & _
Right$(strStringWithOutNulls,
Len(strStringWithOutNulls) - intPosition)
End If

If intPosition > strStringWithOutNulls.Length Then
Exit Do
End If
Loop

Return strStringWithOutNulls

End Function

End Module

****************************************************************************************
==================

 

[Kevin O'Brien]

Hey,

I created a new form with two textboxes - txtUserName and txtPassword - and
a command button.
I have a database called signon.mdf with a table called users.

When I pasted this code in the buttom click event I have two errors:
Command.Connection = MyConnectionObject - MyConnectionObject is not
declared.
And on the @ symbol on the select statement.

Can you please tell me what I am going wrong?

thank you!!
Kevin

 

[Jim Wooley]

Typically with passwords, you don't need to be able to decrypt it, thus a
one way hash can be sufficient. Just compare the hashes rather than the plain
text values. Give your users a mechanism to have their password reset and
email them the new password to the email they registered when they created
the account if they forget it.

Here's some quick code (based on the security snippet) to hash a password
Public Function HashPassword(password As String) as string
Dim sha1CryptoService As SHA1CryptoServiceProvider = New SHA1CryptoServiceProvider()
Dim byteValue() As Byte = Encoding.UTF8.GetBytes(password)
Dim hashValue() As Byte = sha1CryptoService.ComputeHash(byteValue)
return System.Text.Encoding.UTF8.GetString(hashValue)
End Function

Note, you can easily substitute the MD5 for SHA1 if you want.
Jim Wooley
http://devauthority.com/blogs/jwooley

 

[Kevin O'Brien]

Hey,

I have the errors worked out except for:
Command.Connection = MyConnectionObject

I get the error:

'MyConnectionObject' is not declared.



I tried putting in the name of the data set in place of Myconnectionobject
but that didn't work either. any help would be greatly appreciated!

Thanks,

Kevin

 

[Guest]

I have the errors worked out except for:
Command.Connection = MyConnectionObject

I get the error:

'MyConnectionObject' is not declared.



I tried putting in the name of the data set in place of
Myconnectionobject but that didn't work either. any help would be
greatly appreciated!

You need to declare a connection object...

i.e.:

Dim _Connection as New SQLClient.Connection

Then:

Command.Connection = _Connection

I see that you're not familiar with ADO.NET at all - take some time and
Google some ADO.NET tutorials and you'll find things will go a lot
smoother.

 

[Kevin O'Brien]

Point taken.

Thank you for your help.

Kevin

You need to declare a connection object...

i.e.:

Dim _Connection as New SQLClient.Connection

Then:

Command.Connection = _Connection

I see that you're not familiar with ADO.NET at all - take some time and
Google some ADO.NET tutorials and you'll find things will go a lot
smoother.