Login

Login

• krazysmile

  You should always store passwords as encrypted value. That means that even builders and administrators will not know the users passwords. So how to check credential Select the row from Users table that has entered username value. Then encrypt entered password and compare that encrypted value with the one from retrieved row. If they are equal then login is successfull. If there is no row in users table or encrypted passwords are not equal than you have unsuccessfull login.
  
  

• Nobita

  If you are using SQL Server then you could create a stored procedure to perform the validation and pass the contents of your username and password fields as parameters to the stored procedure. This should strengthen it up a bit. Alternatively, you can parse the contents of both your fields to ensure that they do not contain any SQL code such as DELETE or UPDATE. Also, by ensuring that your user name and password fields are limited in size (such as 15-20 chars max) then there won't be much that could be injected.
  

• Kishan

  Hi

  If you have your own database table that stores your user's credentials then you could use SQL and ADO.NET to authenticate your users. The following assumes that you have a table called "Users" with at least the fields "UserID, UserName, UserPassword":

  private void btnLogin_Click(object sender, EventArgs e)
  {

  if (txtUserName.TextLength > 0 && txtPassword.TextLength > 0)
  {
  SqlConnection connection = new SqlConnection("Data Source=(local);Initial Catalog=test;Integrated Security=SSPI");
  SqlDataAdapter adapter = new SqlDataAdapter("SELECT UserID FROM Users WHERE UserName='" + txtUserName.Text + "' AND UserPassword='" + txtPassword.Text + "'", connection);
  DataTable dt = new DataTable("Users");

  adapter.Fill(dt);

  if(dt.Rows.Count == 0)
  {
  MessageBox.Show("Invalid User Details", "Login");
  txtUserName.ResetText();
  txtPassword.ResetText();
  }
  else
  {
  // login validated.
  MessageBox.Show("Login successful", "Login");
  }
  }
  }
  

  Also, I used the SQLClient namespace (using System.Data.SqlClient directive) but if you are using Access or another data source then you can change to using the OleDb namespace or other relevant namespace.

  HTH

  
  

• Michelle Baumgarten

  Thanks David
  
  

• Youngmin

  Do you actually make the column in the db an encrypted value Or do you encrypt it in code and then send the encryped value to the db

  Could you please give an example

  
  
  

• abeljda

  NewbieDude wrote:

  Thanks for your help. Is there anyway to make it more secure and prevent hackers or sql injection attacks

  
  
  

  Use paramitrimized queries. Then you never have to worry about format's or SQL Injection.
  It's olso better for the preformance, because you don't need to have to concatenate a string for example:
  

  string query = "SELECT * FROM Table1 WHERE ID = " + txtId.Text + " AND Name = \"" + "txtName.Text + "\"";

  
  
  No escape characters needed, you doesn't have to think about using a " or not etc.
  
  Parameters are like placeholders, you use them in Stored Procedures as well.

  A little example:
  
  

  // TODO: Set date variable. DateTime date = DateTime.Now; // Set query and parameters. const string query = "SELECT * FROM Table1 WHERE MyDate = @MyDate"; SqlParameter pMyDate = new SqlParameter("@MyDate", SqlDbType.DateTime); pMyDate.Value = date; // Create connection and open it. SqlConnection dbConn = new SqlConnection("ConnectingString"); dbConn.Open(); try { using(SqlCommand dbCommand = new SqlCommand(query, dbConn)) { // Add paramter to Command. dbCommand.Parameters.Add( pMyDate ); // Execute the query and get results. SqlDataReader reader = dbCommand.ExecuteReader(); try { // Walkthrough results. while(reader.Read()) { // TODO: Do something with the data. } } finally { // Close reader. reader.Close(); } } } finally { // Close connection. dbConn.Close(); }

  
  
  
  

• Eli Cohen

  Thanks for your help. Is there anyway to make it more secure and prevent hackers or sql injection attacks
  
  
• Login