Actually im creating a encrypted login form ,every thing works fine only having problem is that not able to retrive my salt and hash value for my database table

Question

0.00/5 (No votes)

See more:

SQL-Server-2014

VB

Private Sub b2_Click(sender As Object, e As EventArgs) Handles b2.Click
        Try
            If t1.Text = Nothing Then
                MsgBox("You must enter the username ", Microsoft.VisualBasic.MsgBoxStyle.Exclamation, "Eror")
            End If
            If t2.Text = Nothing Then
                MsgBox("You must enter the Password ", Microsoft.VisualBasic.MsgBoxStyle.Exclamation, "Eror")
            End If
            Dim rndsalt1 As String
            Dim hashcheck As String
            Dim pwd As String = t2.Text
            DBConnection.Open()
            Dim abc As String = "select Rand_Salt,Hash_Code from pwdTable where UserName Like  ' %" & t1.Text & "';"
            Dim cmd As SqlCommand = New SqlCommand(abc, DBConnection)
            Dim dr As SqlDataReader = cmd.ExecuteReader
            If dr.Read() Then
                rndsalt1 = dr(1).ToString()
                hashcheck = dr(2).ToString()

            End If

            DBConnection.Close()

            Dim passstr As String = pwd + rndsalt1
            Dim bytes = Encoding.UTF8.GetBytes(passstr)
            Dim bpass As Byte()
            Dim hash As HashAlgorithm = New SHA256Managed()
            bpass = hash.ComputeHash(bytes)
            Dim storehash As String = Convert.ToBase64String(bpass)


            If storehash = hashcheck Then
                MessageBox.Show("Login sucessful !!!!")
            Else
                MessageBox.Show("Loged in sucessful ")

            End If
        Catch ex As Exception
            MessageBox.Show(ex.Message)
        End Try
    End Sub
End Class

What I have tried:

firstly i have tried dataadapter class to retrive the values and also tried using sql command to retrive the values ,but none of thes suceed also while running the code there is no erroe

Posted 6-Mar-16 20:50pm

Divyanshu Saini

Updated 6-Mar-16 21:41pm

Richard MacCutchan

v2

Add a Solution

Comments

Richard MacCutchan 7-Mar-16 3:35am

Please edit your question and explain exactly what is happening. Also, why are you using the LIKE clause in your SELECT statement?

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Accepted Answer · 2016-03-06T21:41:00

Several things you need to look at.
The first is seriously important: Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead. This is even more important when it's a login form, as it means I don't even have to have a username to delete your database...
Second, Comparing a Textbox.Text property with Nothing will always return false: it returns a string, which may be empty, but never Nothing. Use String.IsNullOrWhiteSpace instead.
Third, your SQL LIKE clause will only match wild cards at the start - it needs an absolute match at the end. For "contains" you need a percent character at each end. But...is wild card applicable at all to a login username? I doubt it myself...
Fourth, don't store the salt value with the hash and the username! Instead, use the username as the salt value, probably with a fixed "separator" character that can't be used in either the username or the password.
Fifth, don't use numeric indexes for your DataReader access - since they start at zero not one, you won;t get back what you want. Using the column name instead of the number, avoids that, even if you later change the SQL statement.