Comparing two rows in the same table in sql server
Question
I have looked at similar answers but, this is what I am looking for since I did not find any answers from previously answered questions:
This is my scenario: I have a table [res_user] with username, password, key_pin which saves a username, an encrypted password, and a 4 digit pin or key.
I am making an app in C# that allows a manager to log in and make changes to the database from the app itself.
The manager is first prompted to log in with a username, a password, and their key_pin they are provided with. The pin is what will encrypt and decrypt the password to and from the database.
Now I have a username [manager] and an encrypted password already saved in the database with the key_pin .
How can I make sure that the manager logging in is the right one, meaning how can I compare the username and the encrypted password in the database from the C# app.
These are the steps that I though of that I will implement in the app itself (using SQL syntax in c#):
Encrypt the password,
Get the saved encryption in the database using the login username, and
Compare the encryption returning a yes or a no back to the app for access control.
allowing 5 attempts to log in.
This is the first and second part I did:
try
{
using (SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["STRING"].ConnectionString))
{
using (SqlCommand cmd = new SqlCommand("dbo.Res_User", con))
{
cmd.CommandText = "INSERT INTO Res_User(username, password, key_pin) SELECT '" + username + "' , dbo.fnEncDecRc4('" + pin + "','" + password + "'), '" + pin + "'";
con.Open();
cmd.ExecuteNonQuery();
MessageBox.Show("Added", "Information", MessageBoxButtons.OK);
cmd.CommandText = "SELECT password FROM Res_User WHERE username = @username";
cmd.Parameters.AddWithValue("@username", username);
cmd.ExecuteNonQuery();
using (SqlDataReader reader = cmd.ExecuteReader())
{
if (reader.HasRows)
{
while (reader.Read())
{
MessageBox.Show(reader["password"].ToString(), "Information", MessageBoxButtons.OK);
}
}
}
How do I go about doing the third part?
Only if someone can help me compare the saved enc. password and the login enc. password which I did in part one.
Let me know if more information is needed.
Thank You.
Any help will be appreciated.
1 answers
solution1
0 ACCPTED 2012-10-08 15:59:55
You could try re-encrypting the password and pin on the server when you're doing validation on the server. So that you will call your encrypt function, then do a comparison and if you have results, you know that the correct password was entered. Modifying your code, it would look like:
try
{
using (SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["STRING"].ConnectionString))
{
using (SqlCommand cmd = new SqlCommand("dbo.Res_User", con))
{
cmd.CommandText = "INSERT INTO Res_User(username, password, key_pin) SELECT '" + username + "' , dbo.fnEncDecRc4('" + pin + "','" + password + "'), '" + pin + "'";
con.Open();
cmd.ExecuteNonQuery();
MessageBox.Show("Added", "Information", MessageBoxButtons.OK);
cmd.CommandText = "SELECT password FROM Res_User WHERE username = @username AND key_pin = @pin AND password = dbo.fnEncDecRc4(@pin, @password)";
cmd.Parameters.AddWithValue("@username", username);
cmd.Parameters.AddWithValue("@pin", pin);
cmd.Parameters.AddWithValue("@password", password);
cmd.ExecuteNonQuery();
using (SqlDataReader reader = cmd.ExecuteReader())
{
if (reader.HasRows)
{
//successfully validated.
}
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.