{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 贪生不怕死 的问题《Hashing password in WPF C# application》','https://www.manongdao.com/q-1082120.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I've tried to create a remote MySQL database and link it to WPF application. I manage to do that but I was advised by users from the forum to hash my password, cause it can be easyly SQL injected. My question is does anybody know how can I create hashed password based on that code:
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Windows.Forms;
using MySql.Data.MySqlClient;
namespace ECBSRecruitmentAgencySoftware
{
public partial class LogIn : Form
{
public LogIn()
{
InitializeComponent();
}
public bool tryLogin(string username , string password)
{
MySqlConnection con = new MySqlConnection("host=aaaaaaaa.baaadsg;user=saaaaaak;password=2333333336;database=soaaaaaaaa2;");
MySqlCommand cmd = new MySqlCommand("Select * FROM niki WHERE user_name = `" + username + "` AND user_password = `" + password + "`;");
cmd.Connection = con;
con.Open();
MySqlDataReader reader = cmd.ExecuteReader();
if (reader.Read() != false)
{
if (reader.IsDBNull(0) == true)
{
cmd.Connection.Close();
reader.Dispose();
cmd.Dispose();
return false;
}
else
{
cmd.Connection.Close();
reader.Dispose();
cmd.Dispose();
return true;
}
}
else
{
return false;
}
}
private void button1_Click(object sender, EventArgs e)
{
if (tryLogin(user.Text, pass.Text) == true)
{
MainScreen F2 = new MainScreen();
F2.Show();
this.Hide();
}
else
MessageBox.Show("Wrong details!");
}
}
}
Create a function to do it for you:
This is asp.NET
You would use a hashing algorithm provider, such as SHA256.
Now, for the sake of storing and comparing in a SQL query, you'd convert the bytes into a string representation, such as Base64Encoded.
Now you can use the value of hashedPassword in your query.
HOWEVER...
You should also consider generating a salt value, either for your entire application, or better yet, per user. You would need a column in the table to store it, and generate it randomly for each user every time the password is changed. Then you'd use something like this to create the hashed password:
Putting it all together...
I don't belive your will be able to make secure way of authentication with this code.
First of all you store password to your database in you code. So anyone can use Reflector or any other .NET decompiller to extract password to database. Then, having full connection string, anyone can connect to your database and compromise it (for example, steal all user passwords). Even if your use obfuscation tools, it is still possible to extract this string from your application.
So it is actually does not matter, will you hash user passwords or will you not - anyone can access you system.
The more secure way to perform password validation is creating multi-tired system, so WPF application cannot directly access database, it users Application server to perform any operations with data. For communication you can use web services, WCF. Connection string to your database will be stored only in application server.
Now what about hashes.
You have to find out why do you want to use hash. You can use hash to store it in database (so clear password is not stored anywhere). You can use hash to send password over network, so even if message is intercepted, nobody will find out clear password). Or you can use hash for both this.
If you will store password hash in database, you should research database scheme of build in ASP.NET membership provider.
Based on option you choose, you can implement actual password validation.
Actually it does not really matter how you will compute hash. It just have to be enough strong hash algorithm, for example SHA512 which is buit in in .NET Framework.
.Net has inbuilt support support for MD5 hash algorithm and many other hash algorithm. There is a really good example for this in Microsoft website: https://msdn.microsoft.com/en-us/library/system.security.cryptography.md5(v=vs.110).aspx#Examples .
To learn more about how and why hashing is required you can check out this site: https://www.codeproject.com/Articles/704865/Salted-Password-Hashing-Doing-it-Right
.NET supports several cryptographic hashes including MD5 and SHA so it's quite easy to hash your passwords using
ComputeHashmethods of these classes...Here is a simple example of hashing a file using MD5 which can be easily converted to generate a password hash:
Don't forget to salt your hash...
Actually, it would probably be best to just read this great article about storing passwords in a database over on CP...
The Art & Science of Storing Passwords