hi i am trying to implemement forms authentication for my website but can't seem to get the stored procedure to output the correct value when checking a users credentials. the code is -
ALTER PROCEDURE validlogin
-
@uname nchar(30),
-
@pass nchar(100),
-
@valid int OUTPUT
-
-
AS
-
IF EXISTS(SELECT * FROM Users WHERE User_name = @uname AND Password = @pass)
-
SET @valid = 1
-
ELSE
-
SET @valid = 0
-
RETURN @valid
-
for the stored procedure and the code in my asp.net application to run this procedure is -
private bool UserAuthenticate(string uname, string pass)
-
{
-
int validateresult;
-
string hashedpwd = EncodePassword(pass);
-
//query the username and password
-
sqlSelectCommand1.CommandType = CommandType.StoredProcedure;
-
sqlSelectCommand1.CommandText = "validlogin";
-
sqlSelectCommand1.Parameters.Add(new SqlParameter("@uname", SqlDbType.NChar, 30));
-
sqlSelectCommand1.Parameters["@uname"].Value = uname;
-
sqlSelectCommand1.Parameters.Add(new SqlParameter("@pass", SqlDbType.NChar, 30));
-
sqlSelectCommand1.Parameters["@pass"].Value = hashedpwd; //hashedpwd;
-
sqlSelectCommand1.Parameters.Add(new SqlParameter("@valid", SqlDbType.NChar, 30));
-
sqlSelectCommand1.Parameters["@valid"].Direction = ParameterDirection.Output;
-
//sqlDataAdapter1.SelectCommand = sqlSelectCommand1;
-
sqlConnection1.Open();
-
-
validateresult = Convert.ToInt32(sqlSelectCommand1.ExecuteScalar());
-
sqlConnection1.Close();
-
-
if (validateresult > 0)
-
{
-
return true;
-
}
-
else
-
{
-
return false;
-
}
-
}
-
the calling code then checks for the result of this function and acts accordingly. when i do a trace on the code i can never get validateresult value to be anything other than 0. any help would be appreciated.
10 25074
Is the password stored as a hashed password? Is the entry be the same - write the value first to verify.
Firstly, what's the structure of your table holding the credentials?
Secondly, when a stored procedure is using output variables, you don't need to return the output variable with Return @Output, in this instance, you would return a value to verify if the procedure ran correctly or not - for instance:
Return @@Error
@Output already contains the output value and will automatically be returned when the procedure returns.
If you want to return the validation using "Return @Output", then the output variable is not necessary in the header, as all stored procedures should return some integer value and usually this would be used to verify that the procedure completed successfully - but there's nothing to say you couldn't use it to return whether or not the user validated successfully and ditch the output parameter in the header.
hi thanks for the replies. yes the password is hashed and i use exactly the same code when entering the password into the database when a user is registered and when validating the users login -
public string EncodePassword(string originalPassword)
-
{
-
Byte[] originalBytes;
-
Byte[] encodedBytes;
-
MD5 md5;
-
-
// Conver the original password to bytes; then create the hash
-
md5 = new MD5CryptoServiceProvider();
-
//originalBytes = (new UnicodeEncoding()).GetBytes(originalPassword);
-
originalBytes = ASCIIEncoding.Default.GetBytes(originalPassword);
-
encodedBytes = md5.ComputeHash(originalBytes);
-
-
// Bytes to string
-
return System.Text.RegularExpressions.Regex.Replace(BitConverter.ToString(encodedBytes), "-", "").ToLower();
-
}
-
the structure of the database so far is
Table name "Users"
U_name nchar 30 (username is primary key field)
F_name nchar 30
Surname nchar 30
Nickname nchar 30
Pword nchar 100
here also the code that registers the new users onto the system -
private void btnSubmit_Click(object sender, System.EventArgs e)
-
{
-
//insert command to insert new data
-
sqlInsertCommand1.CommandType = CommandType.Text;
-
sqlInsertCommand1.CommandText = "INSERT INTO Users (U_name, F_name, Surname, Nickname, Pword) VALUES (@User_name, @First_name, @Surname, @Nickname, @Password)";
-
sqlInsertCommand1.Parameters.Clear();
-
sqlInsertCommand1.Parameters.Add("@First_name",SqlDbType.NChar,30, "First_name");
-
sqlInsertCommand1.Parameters.Add("@User_name",SqlDbType.NChar,30, "User_name");
-
sqlInsertCommand1.Parameters.Add("@Nickname",SqlDbType.NChar,30, "Nickname");
-
sqlInsertCommand1.Parameters.Add("@Surname",SqlDbType.NChar,30, "Surname");
-
sqlInsertCommand1.Parameters.Add("@Password",SqlDbType.NChar,30, "Password");
-
//select command to fill dataset
-
sqlSelectCommand1.CommandType = CommandType.Text;
-
sqlSelectCommand1.CommandText = "SELECT * FROM Users";
-
DataSet Ds = new DataSet();
-
sqlDataAdapter1.SelectCommand = sqlSelectCommand1;
-
sqlDataAdapter1.InsertCommand = sqlInsertCommand1;
-
sqlDataAdapter1.Fill(Ds, "Users");
-
//create new data to insert
-
DataRow drow = Ds.Tables["Users"].NewRow();
-
drow[0] = textusername.Text;
-
drow[1] = textfirstname.Text;
-
drow[2] = textsurname.Text;
-
drow[3] = textnickname.Text;
-
string hashedpwd = EncodePassword(textpassword2.Text);
-
drow[4] = hashedpwd;
-
Ds.Tables["Users"].Rows.Add(drow);
-
sqlDataAdapter1.Update(Ds, "Users");
-
}
-
i'll try to alter the stored procedure to see if i can get the required result later and post back later. thanks
If you are trying to geth value from store procedure that is sent with the RETURN keyword, your parameter type would not be Input or Output but the ReturnValue parameter type. That might help?
When you run the query database side, does it return the right value? For instance, when I'm using encrypted passwords in the database, I usually use PwdEncrypt and PwdCompare to validate. This makes password verification a lot simpler because I don't have to handle the encryption routines on the client side, it's all handled in the database. I'm curious if the client side code is failing to provide the right hash or if the stored procedure is failing to produce the correct result, or if the stored procedure is not talking to the client side's command object. It's hard to say for sure.
after playing around i think i may of fixed situation. instead of using this code to assign the value from the stroed procedure -
sqlConnection1.Open();
-
validateresult = Convert.ToInt32(sqlSelectCommand1.ExecuteScalar());
-
sqlConnection1.Close();
-
i changed it for this code -
sqlConnection1.Open();
-
sqlSelectCommand1.ExecuteScalar();
-
validateresult = convert.ToInt32(sqlSelectCommand1.Parameters["@valid"].Value);
-
sqlConnection1.Close();
-
i have also taken the RETURN @valid from the stored procedure but even with this left in the code seems to work.
balabaster
"I usually use PwdEncrypt and PwdCompare to validate"
do you mean there are ways to carry out all the password encryption in side sql database itself? i'd be interested to see an example if possible. well thanks for all you help on this guys. i'm sure my noodie coding skills mean getting stuck again very soon lol.
sqlSelectCommand1.ExecuteScalar() does not return the return value from your stored procedure
Yes good point and thanks for pointing that out , but the sqlcommand objects parameters list seems to be updated when the stored procedure runs as i get the desired outcome. if i change the executescalar to executenonquery i can still retrieve a value from the command objects output parameter (@valid).
can you guys separately checking wether username is invalid or password invalid?
Coz if username doesn't exist it will know you well about
can you guys separately checking wether username is invalid or password invalid?
Coz if username doesn't exist it will know you well about
Well you'd have to do a two part lookup in that instance...return different values in the output params spit out a different value if the username doesn't exist than if the password was wrong.
i.e. - If Exists(Select * From UserTable Where UserName = @Username)
-
Set @Out = -1
-
Else
-
Begin
-
Select @Count = Count(*)
-
From UserTable
-
Where UserName = @UserName
-
And PwdCompare(Password, @Password) = 1
-
If (@Count = 0)
-
Set @Out = -2
-
Else If (@Count = 1
-
Set @Out = 1
-
End
-
-
Return @Out
If -1 is returned, the username doesn't exist, if -2 is returned the username exists but the password was wrong.
However, for security purposes, I don't recommend passing that information back to the end user. They could figure out what usernames exist and then start a brute force attack using passwords against that username...
Sign in to post your reply or Sign up for a free account.
Similar topics
by: Dinesh |
last post by:
Hi,
I have one stored procedure in SQL server in which i have written one
insert statement. Now in my cs file i pass the parameters require to execute
that stored procedure and finaly by mistaken...
|
by: Chad Dittmer via .NET 247 |
last post by:
I'm having problems inserting into Sql 2000 using SqlHelper.ExecuteScalar.
When it inserts, it only takes the first character from the string?? Any help would be appreciated. Here is the code and...
|
by: Max |
last post by:
Anyone know why I'm always getting 0 returned? My stored procedure
returns -1.
Dim iErrorCode As Int32
iErrorCode = Convert.ToInt32(SqlHelper.ExecuteScalar(AppVars.strConn, _
"gpUpdateMember",...
|
by: Neven Klofutar |
last post by:
Hi,
I have a problem with SqlHelper.ExecuteScalar ...
When I try to execute SqlHelper.ExecuteScalar I get this message:
"System.InvalidCastException: Object must implement IConvertible.".
...
|
by: j090757 |
last post by:
Returning parm data to vb.net from AS400 stored procedure
This example loads a textbox which is used by javascript for error
handling.
First create the stored procedure on the AS400:
CREATE...
|
by: jzogg7272 |
last post by:
In my code I am executing a stored procedure to do a single row insert.
I check the return value of the execution and I am getting -1, whereas
a few weeks ago it was returning 0. Actually, I found...
|
by: rn5a |
last post by:
A class file has the following code:
Imports System
Imports System.Data
Imports System.Data.SqlClient
Namespace LoginUsers
Public Class UserValidation
Public Function Validate(ByVal...
|
by: scparker |
last post by:
Hello,
We have a stored procedure that does a basic insert of values. I am
then able to retrieve the ID number created for this new record. We are
currently using ASP.NET 2.0 and use N-Tier...
|
by: Randy Smith |
last post by:
Hi,
I've got some weird behavior happening within one of the datamappers. It
all has to do with inserting a new row, and returning the Id of the row
being entered.
Here is what the code...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
| |