Hello,

I am creating a sign on screen for my application in which I want to store
the username and password in a database table.  I was thinking of putting a
combo box connected to the database to pull up the usernames and then having
a textbox for the user to enter their password.

Can someone tell me please how to compare the contents of the textbox to the
password in the database?

Thank you,
Kevin

Rather prompt for the username/password - then run the query:

SELECT COUNT(1) FROM USERS WHERE UserName = @UserName AND Password =
@Password

Use SQLParameters to avoid injection attacks.

Hi,

So you are saying I should created 2 unbound textboxes to prompt for
username and password and name the textboxes UserName and Password?  Then I
can run this SQL select statement right from my VB code?

Sorry for the simple questions but this is my first crack at querying a
database from VB.

Thanks,
Kevin




Show quoteHide quote

Exactly ; )


To query the DB, you can do:

Dim Command As New SqlClient.SqlCommand
Command.Connection = MyConnectionObject
Command.CommandText = "SELECT COUNT(1) FROM TABLE WHERE UserName =
@UserName AND Password = @Password"

Command.Parameters.Add(New SqlClient.SqlParameter("@UserName",
txtUserName.text))
Command.Parameters.Add(New SqlClient.SqlParameter("@UserName",
txtPassword.text))

'If count > 0 means username + password matched
If Command.ExecuteScalar > 0 Then
        MsgBox("Successful Login")
Else
        MsgBox("Try Again")
End If

I'll give it a shot!

Thank you,
Kevin


Show quoteHide quote

Kevin O'Brien wrote:
Show quoteHide quoteJust a thought: Giving all registered names is not a good idea from a
security standpoint. Just give 2 boxes (username and password) and when
they don't match tell them there's a login error, don't tell them which
of the 2 doesn't match. Also, don't store the password. Store the hash
of the password.

Izzy posted this a couple days ago.
I havnt used it yet, but I will in about a week.  - He says it works great

You can store the Password in the access database,
the following code will encrypt it 128 bits

Miro
===== here is his post

Here it is, I have no idea how it works, but it works great. I use it
to encrypt passwords stored in an access file.

To call it:

'This will encrypt a value
Variable = EncryptString128Bit(txt_Password.Text, EncryptionKey)

'This will decrypt a value
Variable = DecryptString128Bit([Password stored in DB goes here],
EncryptionKey)

Have fun,
Izzy

****************************************************************************

Imports System.Security.Cryptography
Imports System.Text

Module mod_Globals

Public EncryptionKey As String = "justsomewordstobeusedasacryptionkey"

Public Function EncryptString128Bit(ByVal vstrTextToBeEncrypted As
String, ByVal vstrEncryptionKey As String) As String

        Dim bytValue() As Byte
        Dim bytKey() As Byte
        Dim bytEncoded() As Byte
        Dim bytIV() As Byte = {121, 241, 10, 1, 132, 74, 11, 39, 255,
91, 45, 78, 14, 211, 22, 62}
        Dim intLength As Integer
        Dim intRemaining As Integer
        Dim objMemoryStream As New MemoryStream
        Dim objCryptoStream As CryptoStream
        Dim objRijndaelManaged As RijndaelManaged

        vstrTextToBeEncrypted =
StripNullCharacters(vstrTextToBeEncrypted)

        bytValue =
Encoding.ASCII.GetBytes(vstrTextToBeEncrypted.ToCharArray)

        intLength = Len(vstrEncryptionKey)

        If intLength >= 32 Then
            vstrEncryptionKey = Strings.Left(vstrEncryptionKey, 32)
        Else
            intLength = Len(vstrEncryptionKey)
            intRemaining = 32 - intLength
            vstrEncryptionKey = vstrEncryptionKey &
Strings.StrDup(intRemaining, "X")
        End If

        bytKey = Encoding.ASCII.GetBytes(vstrEncryptionKey.ToCharArray)

        objRijndaelManaged = New RijndaelManaged

        Try
            objCryptoStream = New CryptoStream(objMemoryStream,
objRijndaelManaged.CreateEncryptor(bytKey, bytIV),
CryptoStreamMode.Write)
            objCryptoStream.Write(bytValue, 0, bytValue.Length)
            objCryptoStream.FlushFinalBlock()
            bytEncoded = objMemoryStream.ToArray
            objMemoryStream.Close()
            objCryptoStream.Close()
        Catch

        End Try

        Return Convert.ToBase64String(bytEncoded)

    End Function

    Public Function DecryptString128Bit(ByVal vstrStringToBeDecrypted
As String, ByVal vstrDecryptionKey As String) As String

        Dim bytDataToBeDecrypted() As Byte
        Dim bytTemp() As Byte
        Dim bytIV() As Byte = {121, 241, 10, 1, 132, 74, 11, 39, 255,
91, 45, 78, 14, 211, 22, 62}
        Dim objRijndaelManaged As New RijndaelManaged
        Dim objMemoryStream As MemoryStream
        Dim objCryptoStream As CryptoStream
        Dim bytDecryptionKey() As Byte
        Dim intLength As Integer
        Dim intRemaining As Integer
        Dim intCtr As Integer
        Dim strReturnString As String = String.Empty
        Dim achrCharacterArray() As Char
        Dim intIndex As Integer

        bytDataToBeDecrypted =
Convert.FromBase64String(vstrStringToBeDecrypted)

        intLength = Len(vstrDecryptionKey)

        If intLength >= 32 Then
            vstrDecryptionKey = Strings.Left(vstrDecryptionKey, 32)
        Else
            intLength = Len(vstrDecryptionKey)
            intRemaining = 32 - intLength
            vstrDecryptionKey = vstrDecryptionKey &
Strings.StrDup(intRemaining, "X")
        End If

        bytDecryptionKey =
Encoding.ASCII.GetBytes(vstrDecryptionKey.ToCharArray)

        ReDim bytTemp(bytDataToBeDecrypted.Length)

        objMemoryStream = New MemoryStream(bytDataToBeDecrypted)

        Try

            objCryptoStream = New CryptoStream(objMemoryStream,
objRijndaelManaged.CreateDecryptor(bytDecryptionKey, bytIV),
CryptoStreamMode.Read)
            objCryptoStream.Read(bytTemp, 0, bytTemp.Length)
            objCryptoStream.FlushFinalBlock()
            objMemoryStream.Close()
            objCryptoStream.Close()

        Catch

        End Try

        Return StripNullCharacters(Encoding.ASCII.GetString(bytTemp))

    End Function


    Public Function StripNullCharacters(ByVal vstrStringWithNulls As
String) As String

        Dim intPosition As Integer
        Dim strStringWithOutNulls As String

        intPosition = 1
        strStringWithOutNulls = vstrStringWithNulls

        Do While intPosition > 0
            intPosition = InStr(intPosition, vstrStringWithNulls,
vbNullChar)

            If intPosition > 0 Then
                strStringWithOutNulls = Left$(strStringWithOutNulls,
intPosition - 1) & _
                                  Right$(strStringWithOutNulls,
Len(strStringWithOutNulls) - intPosition)
            End If

            If intPosition > strStringWithOutNulls.Length Then
                Exit Do
            End If
        Loop

        Return strStringWithOutNulls

    End Function

End Module

****************************************************************************************
==================

Show quoteHide quote

Typically with passwords, you don't need to be able to decrypt it, thus a
one way hash can be sufficient. Just compare the hashes rather than the plain
text values. Give your users a mechanism to have their password reset and
email them the new password to the email they registered when they created
the account if they forget it.

Here's some quick code (based on the security snippet) to hash a password
Public Function HashPassword(password As String) as string
        Dim sha1CryptoService As SHA1CryptoServiceProvider = New SHA1CryptoServiceProvider()
        Dim byteValue() As Byte = Encoding.UTF8.GetBytes(password)
        Dim hashValue() As Byte = sha1CryptoService.ComputeHash(byteValue)
        return System.Text.Encoding.UTF8.GetString(hashValue)
End Function

Note, you can easily substitute the MD5 for SHA1 if you want.
Jim Wooley
http://devauthority.com/blogs/jwooley

Hey,

I created a new form with two textboxes - txtUserName and txtPassword - and
a command button.
I have a database called signon.mdf with a table called users.

When I pasted this code in the buttom click event I have two errors:
Command.Connection = MyConnectionObject  -  MyConnectionObject is not
declared.
And on the @ symbol on the select statement.

Can you please tell me what I am going wrong?

thank you!!
Kevin



Show quoteHide quote

Hey,

I have the errors worked out except for:
Command.Connection = MyConnectionObject

I get the error:

'MyConnectionObject' is not declared.



I tried putting in the name of the data set in place of Myconnectionobject
but that didn't work either.  any help would be greatly appreciated!

Thanks,

Kevin





Show quoteHide quote

Show quote Hide quote You need to declare a connection object...

i.e.:

Dim _Connection as New SQLClient.Connection

Then:

Command.Connection = _Connection

I see that you're not familiar with ADO.NET at all - take some time and
Google some ADO.NET tutorials and you'll find things will go a lot
smoother.

Point taken.

Thank you for your help.

Kevin


Show quoteHide quote

A question of design
Encrypt a date to use in demo version
System.Diagnostics.Process.Start Freezes
No Recursive instr?!!
Finding embedded controls?
RTf to Word.Doc
Visual Studio Proffessional 2005
.Net user control in a VB6 app requires double-click to activate
C# to VB Conversion Help - Overriding Events?
VS 2005 & list of installed products