0

In my Project the User after the login has to Change the default Password when he logs in and that password will be stored in the Database I want to Encrypt the Password entered by the User in the Change Password Page and store it in the Database and during re-login of that User I want to Encrypt the password entered in the Login page and Check with the Saved password in Database or Fetch the Encrypted password for Decryption and Checking the Decrypted password with the Entered Password how can I do it my Change Password Code is,

SqlConnection con = new SqlConnection(@"Data Source=ESLHPC17\SQL2008;Initial Catalog=Eval;User ID=;Password=");
try
{
    string Qry = "Select Password from passtable where Password='" + CurrentPassword.Text + "'";
    string qry = "Select Password from passtable";
    SqlCommand cmd = new SqlCommand(Qry, con);
    SqlCommand cmd1 = new SqlCommand(qry, con);
    con.Open();
    SqlDataAdapter da = new SqlDataAdapter(cmd);
    SqlDataAdapter daa = new SqlDataAdapter(cmd1);
    DataTable dt = new DataTable();
    DataTable dtt = new DataTable();
    da.Fill(dt);
    daa.Fill(dtt);
    if (dtt.Rows[0]["Password"].ToString() == CurrentPassword.Text)
    {
        string strqry = "Update Passtable Set Password='" + EncryptString(NewPassword.Text) + "'";
        SqlCommand comd = new SqlCommand(strqry, con);
        comd.ExecuteNonQuery();
        Label1.Visible = true;
        Button1.Visible = true;
        ChangeButton.Enabled = false;
    }
    else
    {
        lblMessage.Visible = true;
        lblMessage.ForeColor = System.Drawing.Color.Red;
        lblMessage.Text = "Current Password and Entered Password did not Match !!!";
    }
}
finally
{
  con.Close();
  con.Dispose();
}

The Edited Code with SQL INJECTION detection

using (SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["EvalCon"].ConnectionString)) 
{
    try
    {
        string Qry = "Select Password from passtable where Password='" + CurrentPassword.Text + "'";
        string qry = "Select Password from passtable";
        if (CurrentPassword.Text != "Select" && CurrentPassword.Text != "Create Table" && CurrentPassword.Text != "Update" && CurrentPassword.Text != "Delete" && CurrentPassword.Text != "Truncate" && CurrentPassword.Text != "Drop Table" && CurrentPassword.Text != "Insert" && CurrentPassword.Text != "@")
        {
            if (NewPassword.Text != "Select" && NewPassword.Text != "Create Table" && NewPassword.Text != "Update" && NewPassword.Text != "Delete" && NewPassword.Text != "Truncate" && NewPassword.Text != "Drop Table" && NewPassword.Text != "Insert" && NewPassword.Text != "@")
            {
                using (SqlCommand cmd = new SqlCommand(Qry, con))
                {
                    using (SqlCommand cmd1 = new SqlCommand(qry, con))
                    {
                        con.Open();
                        SqlDataAdapter da = new SqlDataAdapter(cmd);
                        SqlDataAdapter daa = new SqlDataAdapter(cmd1);
                        DataTable dt = new DataTable();
                        DataTable dtt = new DataTable();
                        da.Fill(dt);
                        daa.Fill(dtt);
                        if (dtt.Rows[0]["Password"].ToString() == CurrentPassword.Text)
                        {
                            string strqry = "Update Passtable Set Password='" + NewPassword.Text + "'";
                            SqlCommand comd = new SqlCommand(strqry, con);
                            comd.ExecuteScalar()

                            Label1.Visible = true;
                            Button1.Visible = true;
                            ChangeButton.Enabled = false;
                        }
                        else
                        {
                            lblMessage.Visible = true;
                            lblMessage.ForeColor = System.Drawing.Color.Red;
                            lblMessage.Text = "Current Password and Entered Password did not Match !!!";
                        }
                    }
                }
            }
            else
            {
                lblMessage.Visible = true;
                lblMessage.ForeColor = System.Drawing.Color.Red;
                lblMessage.Text = "SQL INJECTION Breach you Can't Continue!!!";
                CurrentPassword.Enabled = false;
                NewPassword.Enabled = false;
                ConfirmNewPassword.Enabled = false;
            }
        }
        else
        {
            lblMessage.Visible = true;
            lblMessage.ForeColor = System.Drawing.Color.Red;
            lblMessage.Text = "SQL INJECTION Breach you Can't Continue!!!";
            CurrentPassword.Enabled = false;
            NewPassword.Enabled = false;
            ConfirmNewPassword.Enabled = false;
        }
    }
    finally
    {
        con.Close();
        con.Dispose();
    }
}
Improve this question

2 Answers 2

Reset to default
3

Never use user input to append to SQL text. Your code is vulnerable to SQL injection. Use parameters. Read SQL Injection right now.

  1. Do not store passwords in the database, even encrypted. Store a salted hash. Storing the encrypted password is an illusion of security because you will get the key management needed to decrypt the password wrong. You also talk about comparing the encrypted password which is, again, wrong, it means you do not know how to properly use a random IV in the encryption.
  2. Learn to use using() {...} blocks
  3. Learn to use appsetings/websettings for connection strings.
  4. Learn to use ExecuteScalar
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

As per Your Advice I have made Changes for Checking the SQL INJECTION and used the Using() {....} blocks and used ExcecuteScalar and posted the edited code but I cant understand the Salted Hash in the Link you have given can you Help me out....
0

You can simplify the checking of SQLSyntax check with a class that you call when you want to check Text.

class SQLSyntaxCheck
{
    internal static bool CheckSyntax ( string Text )
    {
        if (Text != "Select" && Text != "Create Table" && Text != "Update" && Text != "Delete" && Text != "Truncate" && Text != "Drop Table" && Text != "Insert" && Text != "@")
            return true;
        else return false;

    }}

You can call it via SQLSyntaxCheck.CheckSyntax ( textbox1.Text.ToString() ) or whichever method comes your way.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.