Comparison of Password with a encrypted password stored in a Database

Question

0.00/5 (No votes)

See more:

Dear All,

I am developing a website for which I am registering Users. While registering Users I am encrypting the password supplied by them while registration.

But, I am facing the problem while I am trying to login. I again encrypt the password and compare, but it does not login.

Below is the code.

using System;
using System.Collections;
using System.Configuration;
using System.Data;
using System.Linq;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Xml.Linq;
using System.Data.SqlClient;

public partial class UserLogin : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {

    }

    private static DataTable LookupUser(string Username)
    {
        Utlities cstring = new Utlities();
        string cs = cstring.ConnString();

        const string query = "select password from krs_project.dbo.krs_userinfo (NOLOCK) where krs_user_name=@Username";
        DataTable result = new DataTable();
        using (SqlConnection conn = new SqlConnection(cs))
        {
            conn.Open();
            using (SqlCommand cmd = new SqlCommand(query, conn))
            {
                cmd.Parameters.Add("@Username", SqlDbType.NChar).Value = Username;
                using (SqlDataReader dr = cmd.ExecuteReader())
                {
                    result.Load(dr);
                }
            }
        }
        return result;
    }

    protected void Button1_Click(object sender, EventArgs e)
    {
        if ((RequiredFieldValidator1.IsValid) && (RequiredFieldValidator2.IsValid))
        {
            using (DataTable dt = LookupUser(TextBox1.Text))
            {
                if (CustomValidator1.IsValid)
                {
                    if (CustomValidator2.IsValid)
                    {
                        Session["Name"] = TextBox1.Text;
                        Session["LoginStatus"] = 1;
                        Response.Redirect("~/QuizTopics.aspx");
                    }
                }
            }
        }
    }

    protected void CustomValidator1_ServerValidate(object source, ServerValidateEventArgs args)
    {
         using (DataTable dt = LookupUser(TextBox1.Text))
         if (dt.Rows.Count == 0)
             args.IsValid=false;
        else
             args.IsValid=true;
    }

    protected void CustomValidator2_ServerValidate(object source, ServerValidateEventArgs args)
    {
         /* Encryption Logic */     
        string encoded_password = "";
        string pwd = "";

        encoded_password = TextBox2.Text;

        byte[] b = new byte[encoded_password.Length];
        b = System.Text.Encoding.UTF8.GetBytes(encoded_password);
        pwd = Convert.ToBase64String(b);

        //using (DataTable dt = LookupUser(TextBox2.Text))
        using (DataTable dt = LookupUser(pwd))
         if (dt.Rows.Count == 0)
             args.IsValid=false;
        else
             args.IsValid=true;
    }
}

Kindly Assist

Mukund

Posted 2-Dec-10 3:17am

Mukund Kallapur

Updated 2-Dec-10 3:28am

Henry Minute

v2

Add a Solution

Comments

fjdiewornncalwe 2-Dec-10 9:34am

There is no encryption taking place according to the code you have provided us. Are we missing anything relevant?

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

#realJSOP · Answer 1 · 2010-12-02T03:35:00

Solution 1

So, you have the user's encrypted password in memory? That's not very secure.

I would encrypt the password and send it (with the user ID) to a stored proc in the database. In the stored proc, search for the userID, and if found, compare the passwords, and then return any user info that might be appropriate (if they're a valid user). Haved the .Net app handle either user data or no data being returned.

Posted 2-Dec-10 3:35am

#realJSOP

Updated 2-Dec-10 3:38am

v2

Comments

Mukund Kallapur 2-Dec-10 9:51am

Dear John,

Thanks for the answer. But here I am encrypting the password in the Registration page, which I have not shown here.

Now I want to encrypt the password, in the Login Page and send it to the Database and compare it with the one already stored there.

Please can u let me know how to accomplish that ??

Many Thanks in Advance.

Geoff Williams · Answer 2 · 2010-12-02T05:01:00

Solution 2

You declare the LookupUser method as

private static DataTable LookupUser(string Username)

but you are using it as

DataTable dt = LookupUser(pwd)

In other words, the method is expecting a user name as a parameter but you are passing the encrypted password.

Posted 2-Dec-10 5:01am

Geoff Williams