Click here to Skip to main content
11,435,048 members (48,878 online)
Click here to Skip to main content

Encrypt Password Field in SQL Server, Registry Information & Query String

, 13 Jan 2003
Rate this:
Please Sign up or sign in to vote.
How to encrypt the database password field, registry information and query string.

Introduction

Normally, web developers do not take keen interest to secure the query string and connection string information which usually reside in the registry and the user passwords which reside in the user registration database table. When I was creating a web-based application in ASP.NET, I decided to use these three encryptions to fully secure my application.

.NET provides us the new Cryptography classes to encrypt and decrypt the data whenever used.

I would like to discuss these three issues one by one.

Encrypt Password field in SQL Server

This is the a common practice of developers, not to encrypt the user-login passwords in the database table fields. If anyone has access to the database tables, he can easily use these passwords to enter into the site anytime. So to avoid this situation, I used, .NET’s Cryptography classes.

The business logic which I used is that, when a user is added through my web application, on form submit event, I first get the user’s information from the form fields, encrypt the employee’s password and then submit the entire information into the user registration table. The password information is encrypted in the user registration table. Now, when the user enter into the application, provides userid and password, I just encrypt the user provided password and match it with the employee table’s password, so I don’t need to decrypt the database stored password again and again.

Encrypt Registry Information in SQL Server

Typically, most of the developers including me think that the windows registry is the best place to store key information like connection strings. But these information in the registry are not encrypted and if anyone has access to the server he can easily get all the secure information including the database passwords etc. To avoid this situation also, I use .NET’s Cryptography classes to save the key information residing in the registry.

Encrypt Query String

Often developers pass information from one page to another by using query string, without encrypting those sort of information. Let’s take a scenario where (e.g. it is necessary to encrypt the information contained in the query) I pass the area name (e.g. TownId) from one to another page and on the basis of that TownId I want to get some information from the database. If the user change the TownId in the address bar of the browser and refresh the web page, then this changed TownId will pass and the information related to the users changed TownId will be viewed. So by doing this, the user is able to get all the towns' information whether he has access to all the other towns' information or not.

By the .NET’s Cryptography classes, we can send these information first by encrypting and after receiving, do the reverse process, i.e. to decrypt and use that information.

I have made a class named Utilities and imported the following classes,

Imports System
Imports System.IO
Imports System.Xml
Imports System.Text
Imports System.Security.Cryptography

Two public shared functions named EncryptText and DecryptText with one argument of type string are made.

From an ASP.NET page, just provide the text that you want to encrypt/decrypt into this function and it will return you an encrypted/decrypted text depending upon the function you use.

The EncryptText function internally uses the Encrypt function which uses two parameters: one is the user’s text and other is the encryption which must be on eight digit code. Same as the case for DecryptText function, it uses Decrypt function.

The source code for the function is given below:

' Encrypt the text
 Public Shared Function EncryptText(ByVal strText As String) As String
            Return Encrypt(strText, “&%#@?,:*")
 End Function

'Decrypt the text 
Public Shared Function DecryptText(ByVal strText As String) As String
            Return Decrypt(strText, "&%#@?,:*")
End Function

'The function used to encrypt the text
Private Shared Function Encrypt(ByVal strText As String, ByVal strEncrKey _ 
         As String) As String
      Dim byKey() As Byte = {}
      Dim IV() As Byte = {&H12, &H34, &H56, &H78, &H90, &HAB, &HCD, &HEF}
   
  Try
      byKey()  = System.Text.Encoding.UTF8.GetBytes(Left(strEncrKey, 8))
      
      Dim des As New DESCryptoServiceProvider()
      Dim inputByteArray() As Byte = Encoding.UTF8.GetBytes(strText)
      Dim ms As New MemoryStream()
      Dim cs As New CryptoStream(ms, des.CreateEncryptor(byKey, IV),_
                   CryptoStreamMode.Write)
                cs.Write(inputByteArray, 0, inputByteArray.Length)
                cs.FlushFinalBlock()
                Return Convert.ToBase64String(ms.ToArray())
                
  Catch ex As Exception
                Return ex.Message
  End Try
  
End Function
 
'The function used to decrypt the text
Private Shared Function Decrypt(ByVal strText As String, ByVal sDecrKey _ 
           As String) As String
     Dim byKey() As Byte = {}
     Dim IV() As Byte = {&H12, &H34, &H56, &H78, &H90, &HAB, &HCD, &HEF}
     Dim inputByteArray(strText.Length) As Byte
      
  Try
        byKey = System.Text.Encoding.UTF8.GetBytes(Left(sDecrKey, 8))
                Dim des As New DESCryptoServiceProvider()
                inputByteArray = Convert.FromBase64String(strText)
                Dim ms As New MemoryStream()
                Dim cs As New CryptoStream(ms, des.CreateDecryptor(byKey,_ 
                 IV), CryptoStreamMode.Write)
 
                cs.Write(inputByteArray, 0, inputByteArray.Length)
                cs.FlushFinalBlock()
          Dim encoding As System.Text.Encoding = System.Text.Encoding.UTF8
         
       Return encoding.GetString(ms.ToArray())
       
    Catch ex As Exception
       Return ex.Message
    End Try
    
End Function

Conclusion

I have shown here the three main areas where you should use encryption mechanism to secure your web-application. If you have any query or difficulty to implement it, please feel free to email me at: adnanahmed235@yahoo.com.

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

Share

About the Author

Syed Adnan Ahmed
Architect Version 1
Ireland Ireland
Adnan Ahmed is SharePoint Architect in Version 1(http://www.version1.com), the IT Consulting Company in Ireland and has involved with many large enterprises to help them realise real benefits of SharePoint 2007|2010.

SharePoint Architect | Blogger | IT Evangelist | MCPD SharePoint 2010 Developer| MCITP SharePoint Administrator 2010

Email: adnan.ahmed@live.ie
Owner: http://www.mossgurus.com
http://www.sp-blogs.com
Linked In Profile: http://www.linkedin.com/in/syedadnanahmed

My Blogs:
http://www.sp-blogs.com/blogs/adnan

Comments and Discussions

 
General10x! Excellent! Pin
yasp10-Apr-10 6:33
memberyasp10-Apr-10 6:33 
Work fine!
Generalwhy does my encrypted string always end with '=' [modified] Pin
olibenu11-Jan-10 8:33
memberolibenu11-Jan-10 8:33 
Questionerror Pin
prabupep6-Jan-10 21:59
memberprabupep6-Jan-10 21:59 
QuestionHow do you protecting the code Pin
Member 211249710-Feb-09 6:53
memberMember 211249710-Feb-09 6:53 
QuestionError Pin
mrichar314-Nov-08 7:30
membermrichar314-Nov-08 7:30 
AnswerRe: Error Pin
mrichar317-Nov-08 5:37
membermrichar317-Nov-08 5:37 
GeneralThank you Pin
m-chaos18-Feb-08 17:59
memberm-chaos18-Feb-08 17:59 
GeneralError Pin
Naderrafiee6-Jan-08 22:47
memberNaderrafiee6-Jan-08 22:47 
QuestionRe: Error Pin
Eng_MR24-Dec-08 7:01
memberEng_MR24-Dec-08 7:01 
GeneralTwo other related encryption articles in CodeProject ... Pin
Tony Selke27-Sep-07 7:56
memberTony Selke27-Sep-07 7:56 
GeneralExcellent Code Pin
SeaCrab25-Jun-07 6:57
memberSeaCrab25-Jun-07 6:57 
QuestionEncrypt and Decrypt in ASP.NET using C# Pin
sssabi16-May-07 2:14
membersssabi16-May-07 2:14 
AnswerRe: Encrypt and Decrypt in ASP.NET using C# Pin
byterman2k15-Jul-07 3:42
memberbyterman2k15-Jul-07 3:42 
GeneralRe: Encrypt and Decrypt in ASP.NET using C# Pin
Narind3r7-Aug-07 6:17
memberNarind3r7-Aug-07 6:17 
GeneralRe: Encrypt and Decrypt in ASP.NET using C# Pin
fabrizio.magosso23-Oct-07 3:20
memberfabrizio.magosso23-Oct-07 3:20 
QuestionQuerystring issue Pin
inspoiehfkdbc26-Apr-07 6:46
memberinspoiehfkdbc26-Apr-07 6:46 
GeneralRe: Querystring issue Pin
stixoffire2-Apr-08 0:23
memberstixoffire2-Apr-08 0:23 
GeneralGreat job, worked the first time Pin
johndsc23-Mar-07 1:18
memberjohndsc23-Mar-07 1:18 
GeneralPretty good one. Pin
r_maiya19-Mar-07 8:50
memberr_maiya19-Mar-07 8:50 
GeneralGood one! Pin
CharuT8-Nov-06 20:05
memberCharuT8-Nov-06 20:05 
GeneralRe: Good one! Pin
CharuT8-Nov-06 20:24
memberCharuT8-Nov-06 20:24 
GeneralProblems about RSA Password encryption Pin
puriamrik10-Oct-06 3:47
memberpuriamrik10-Oct-06 3:47 
GeneralYou made a excellent job Pin
britneyssssers29-Aug-06 11:32
memberbritneyssssers29-Aug-06 11:32 
Generalthanks Pin
yusufziya10-Aug-06 1:04
memberyusufziya10-Aug-06 1:04 
QuestionCan you call this from SQL? Pin
ja9282-Aug-06 12:41
memberja9282-Aug-06 12:41 
GeneralTanx Pin
GayuDam23-Jun-06 1:20
memberGayuDam23-Jun-06 1:20 
GeneralRe: Tanx Pin
prabupep6-Jan-10 22:06
memberprabupep6-Jan-10 22:06 
Generalnice code Pin
tjandrasa18-Jan-06 10:26
membertjandrasa18-Jan-06 10:26 
QuestionWhere to store the key? Pin
mpvbrao29-Jul-05 2:43
membermpvbrao29-Jul-05 2:43 
AnswerRe: Where to store the key? Pin
stixoffire12-Jul-06 17:30
memberstixoffire12-Jul-06 17:30 
GeneralRe: Where to store the key? Pin
mpvbrao14-Jul-06 4:03
membermpvbrao14-Jul-06 4:03 
Generaltest Pin
Anonymous17-Mar-05 13:54
sussAnonymous17-Mar-05 13:54 
GeneralRe: test Pin
Christian Graus17-Mar-05 14:11
memberChristian Graus17-Mar-05 14:11 
GeneralEasy Way :p Pin
zorrer17-Nov-04 22:28
memberzorrer17-Nov-04 22:28 
GeneralRe: Easy Way :p Pin
mrkyle8-Sep-05 22:04
membermrkyle8-Sep-05 22:04 
GeneralRe: Easy Way :p Pin
CSharpner.com31-Jan-07 10:31
memberCSharpner.com31-Jan-07 10:31 
QuestionHow to retrieve each parameter in the QueryString ? Pin
Johann Frot9-Nov-04 22:09
memberJohann Frot9-Nov-04 22:09 
AnswerRe: How to retrieve each parameter in the QueryString ? Pin
Anonymous18-Aug-05 12:57
sussAnonymous18-Aug-05 12:57 
AnswerRe: How to retrieve each parameter in the QueryString ? Pin
karthik2al7-Mar-07 1:10
memberkarthik2al7-Mar-07 1:10 
GeneralUsed this article to encrypt passwords for users table Pin
Syed Irtaza Ali14-Jun-04 0:45
memberSyed Irtaza Ali14-Jun-04 0:45 
QuestionEncrypting query string in datagrid link? Pin
ocbka2121-Jan-04 17:25
memberocbka2121-Jan-04 17:25 
Generalgetting error msg Pin
Annie Bhatia18-Jan-04 18:56
memberAnnie Bhatia18-Jan-04 18:56 
GeneralRe: getting error msg Pin
harina3-Jun-04 0:08
memberharina3-Jun-04 0:08 
Generalsame in c# if you like Pin
sventheprogrammer22-Oct-03 1:10
susssventheprogrammer22-Oct-03 1:10 
GeneralRe: same in c# if you like Pin
Anonymous14-Oct-05 0:33
sussAnonymous14-Oct-05 0:33 
GeneralKerberos Pin
reso88@hotmail.com15-Sep-03 2:51
memberreso88@hotmail.com15-Sep-03 2:51 
GeneralEasier Way Pin
Anonymous11-Mar-03 5:47
sussAnonymous11-Mar-03 5:47 
GeneralRe: Easier Way -- No Pin
deadline22-May-03 11:21
memberdeadline22-May-03 11:21 
GeneralRegarding QueryString Pin
Hemant Kurdia21-Jan-03 19:14
memberHemant Kurdia21-Jan-03 19:14 
GeneralHTTP_REFERER is unreliable Pin
Anonymous24-Oct-05 6:14
sussAnonymous24-Oct-05 6:14 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Terms of Use | Mobile
Web04 | 2.8.150428.2 | Last Updated 14 Jan 2003
Article Copyright 2003 by Syed Adnan Ahmed
Everything else Copyright © CodeProject, 1999-2015
Layout: fixed | fluid