vb.net - Making SQL password query case sensitive using COLLATE -

July 15, 2012

i using following sql code in vb in vs2013. want create login form using database of users stored userlist. query not case sensitive. how change query string use collate or other case sensitive comparison

dim check string = _    "select count(*) expr1 userlist having (username = '" & _     _usernametextbox.text & "') , ([password]= '" & _passwordtextbox.text & _     "') , (usertype = '" & user.tostring & "')"      search         .commandtext = check         .connection = cn         if .executescalar() = 1             me.hide()             if user = "trader"                  trader.show()             elseif user = "broker"                 broker.show()             elseif user = "corporate"                 corporate.show()             elseif user = "system"                 systemmanager.show()               end if         else : msgbox("incorrectinput")         end if`

   "select count(*) expr1 userlist  having (username = @username)   , ([password] collate latin1_general_cs_as = @password)  , (usertype = @usertype)  "

apart fact don't have password stored , compared slow salted cryptographic hash function (=non-reversible encryption), query vulnerable sql-injection (when use username "jean le rond d'alambert" or "d'alambert".

another bug when save password plain text, e.g. (n)varchar(32), can enter password longer (e.g. sentence) ==> bug

given you're writing financial application ("broker", "corporate"), sql-injection intolerable security risk.

you can example md5-hash password (cheap & dirty): master.dbo.fn_varbintohexstr(hashbytes('md5', 'test'))

you have "system.data.sqlclient.sqlcommand", there can add system.data.sqlclient.sqlcommand

using (sqlconnection connection = new sqlconnection(connectionstring))     {         connection.open();         //         // description of sql command:         // 1. selects cells rows matching name.         // 2. uses operator because name text field.         // 3. @name must added new sqlparameter.         //         using (sqlcommand command = new sqlcommand(         "select * dogs1 name @name", connection))         {         //         // add new sqlparameter command.         //         command.parameters.add(new sqlparameter("name", dogname));         //         // read in select results.         //         sqldatareader reader = command.executereader();         while (reader.read())         {             int weight = reader.getint32(0);             string name = reader.getstring(1);             string breed = reader.getstring(2);             console.writeline("weight = {0}, name = {1}, breed = {2}",             weight,             name,             breed);         }         }     }

if right start, don't have change later.

Search This Blog

My

vb.net - Making SQL password query case sensitive using COLLATE -

Comments

Post a Comment

Popular posts from this blog

javascript - RequestAnimationFrame not working when exiting fullscreen switching space on Safari -

java - How get ALL url pictures of post with Facebook4J? -

Python ctypes access violation with const pointer arguments -