MD5 Login Help Needed
-
2012年3月29日 上午 10:40
Hi, i need help implementing MD5 into my account creation and login code, i have read a few articles about it but none seem clear on how it can be used with stored procedures, or called during a login, so i will post my current code and and if any one can help or show how i can add the code,please do, and feel free to optimize the code as you see fit. My backend is MSSQL 2005.
The code below is used during the create account button click. I would like the password to be stored in MD5 encryption rather than standard words, i also understand that this method of creating user accounts is not used that much, but i would like to learn the process nonetheless.
Private Sub AccmngCreateBtn_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles AccmngCreateBtn.Click conn.Open() If AccUserTextBox.Text = "" Then MessageBox.Show("Please search for an employee to enter") ElseIf AccPasswordTextBox.Text = "" Then MessageBox.Show("Please enter a password at least 5 characters long") ElseIf AccPasswordTextBox.TextLength < 5 Then MessageBox.Show("Passsword should contain at least 5 characters") AccPasswordTextBox.Clear() ElseIf AccCnfPassTextBox.Text = "" Then MessageBox.Show("Please enter password confirmation") ElseIf AccPasswordTextBox.Text <> AccCnfPassTextBox.Text Then MessageBox.Show("Please cofirm password correctly") AccCnfPassTextBox.Clear() ElseIf AccAuthCodeTextBox.Text = "" Then MessageBox.Show("Please enter authentication code") Else Try Dim AccAuthcmd As New SqlCommand("authoriseSelect", conn) AccAuthcmd.CommandType = CommandType.StoredProcedure AccAuthcmd.Parameters.Add("@authorisationid", SqlDbType.VarChar).Value = AccAuthCodeTextBox.Text '--now we declare the data adapter, data set and binding source Dim ddt As New SqlDataAdapter(AccAuthcmd) Dim dtset As New Data.DataSet '--reader to check for data integrity ddt.SelectCommand = AccAuthcmd ddt.Fill(dtset, "0") Dim cnt = dtset.Tables(0).Rows.Count If cnt = 1 Then Dim AccSelectcmd As New SqlCommand("myTableSelect", conn) AccSelectcmd.CommandType = CommandType.StoredProcedure AccSelectcmd.Parameters.Add("@empid", SqlDbType.Int).Value = AccStaffIDTextBox.Text '--now we declare the data adapter, data set and binding source Dim ddt1 As New SqlDataAdapter(AccSelectcmd) Dim dtset1 As New Data.DataSet '--reader to check for data integrity ddt1.SelectCommand = AccSelectcmd ddt1.Fill(dtset1, "0") Dim cnt1 = dtset1.Tables(0).Rows.Count If cnt1 > 0 Then MessageBox.Show("Account already exists") Else Try Dim AccInsertcmd As New SqlCommand("insertMytable", conn) AccInsertcmd.CommandType = CommandType.StoredProcedure AccInsertcmd.Parameters.Add("@empid", SqlDbType.Int).Value = AccStaffIDTextBox.Text AccInsertcmd.Parameters.Add("@username", SqlDbType.VarChar).Value = AccUserTextBox.Text AccInsertcmd.Parameters.Add("@password", SqlDbType.VarChar).Value = AccPasswordTextBox.Text AccInsertcmd.ExecuteNonQuery() MessageBox.Show("successfully created account") Catch ex As Exception MessageBox.Show(" Account not created-" & ex.Message) End Try End If Else MessageBox.Show("Authentication code is wrong") End If Catch ex As Exception MessageBox.Show(" Exception-" & ex.Message) End Try End If conn.Close() End SubThe following code is on the login authentication side, how can i make so the authentication statement changes the passwword text into MD5 hash and then cross checks it with the hash stored in the database?
Dim conn As New SqlConnection(My.Settings.cidrzlaptopsConnectionString1) ' TODO: Insert code to perform custom authentication using the provided username and password ' (See http://go.microsoft.com/fwlink/?LinkId=35339). ' The custom principal can then be attached to the current thread's principal as follows: ' My.User.CurrentPrincipal = CustomPrincipal ' where CustomPrincipal is the IPrincipal implementation used to perform authentication. ' Subsequently, My.User will return identity information encapsulated in the CustomPrincipal object ' such as the username, display name, etc. Private Sub OK_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles OK.Click Try conn.Open() Catch ex As Exception MessageBox.Show("Error connecting to database-" & ex.Message) End Try If UsernameTextBox.Text = "" Then MessageBox.Show("Please enter User name") ElseIf PasswordTextBox.Text = "" Then MessageBox.Show("Please enter password") Else Try '---- Prepare the SQL querry to obtain details using staff id no Dim loginelectcmd As New SqlClient.SqlCommand("loginselect1", conn) loginelectcmd.CommandType = CommandType.StoredProcedure loginelectcmd.Parameters.Add("@username", SqlDbType.VarChar).Value = UsernameTextBox.Text loginelectcmd.Parameters.Add("@password", SqlDbType.VarChar).Value = PasswordTextBox.Text '--the reader is used as a control to prevent accidental entry of prevoisuly correct on a new error Dim ddt As New SqlClient.SqlDataAdapter Dim dtd As New Data.DataSet ddt.SelectCommand = loginelectcmd ddt.Fill(dtd, "0") Dim cnt = dtd.Tables(0).Rows.Count If cnt > 0 Then MessageBox.Show(" Login authenticated") ATS.Show() Me.Hide() UsernameTextBox.Clear() PasswordTextBox.Clear() Else MessageBox.Show(" Incorrect User name or password") PasswordTextBox.Clear() End If Catch ex As Exception MessageBox.Show(ex.Message) End Try End If conn.Close() End Sub
Any Help will be greatly appreciated, especially an example using the above code modified thank you.
- 已編輯 Synkhan 2012年3月29日 上午 10:43
所有回覆
-
2012年3月29日 下午 01:39
Check out this and see if it works for you. This is an example so please be sure to modify it to work with your database rather than saving the username and passwords in the text file.
http://code.msdn.microsoft.com/Secure-Login-Example-42facaf1
Best regards,
- Jordan
Jordan St. Godard | Microsoft® Community Contributor 2011
-
2012年3月30日 上午 07:37
OK, so it seems reasonable enough, however, can you show me how this line of code can be replaced with my insert stored procedure because i am having a hard time figuring it out.
' Writes the MD5 hashed values of user and pass to a file named <user>.txt My.Computer.FileSystem.WriteAllText(StringtoMD5(user) & ".txt", StringtoMD5(user) & Chr(32) & StringtoMD5(pass), False) File.SetAttributes(StringtoMD5(user) & ".txt", FileAttributes.Hidden)the next piece of code is the one i use to insert, so how can it be modified to work with your MD5 function if you dont mind me asking.
Dim AccInsertcmd As New SqlCommand("insertMytable", conn) AccInsertcmd.CommandType = CommandType.StoredProcedure AccInsertcmd.Parameters.Add("@empid", SqlDbType.Int).Value = AccStaffIDTextBox.Text AccInsertcmd.Parameters.Add("@username", SqlDbType.VarChar).Value = AccUserTextBox.Text AccInsertcmd.Parameters.Add("@password", SqlDbType.VarChar).Value = AccPasswordTextBox.Text AccInsertcmd.ExecuteNonQuery() MessageBox.Show("successfully created account") Catch ex As Exception MessageBox.Show(" Account not created-" & ex.Message)
-
2012年3月30日 上午 08:55
Synkan,
As an advice try to learn one thing at a time instead of all things at once.
If you are not yet able to use that database, then don't try to make it difficult to use it with an encoded password.
First learn it without an encoded password, the next step is an encoded password.
Be aware some think wiz kids can do things professional developers cannot do, but at the end it shows that after some short steps the wiz kids have also to learn each step to become professional developers.
As analogy, most wiz kids can better ride a scooter than most Boeing 747 pilots but that does not make them a better pilot for a Boeing 737.
Success
Cor -
2012年3月30日 上午 09:02I can already save and retrieve data from the database, as well as create and delete accounts, all i want to know is how to incorporate MD5 encryption into my code so as not to save the passwords in basic text. I am well aware of how to use the main functions of a database, i just lack the understanding of incorporating MD5 into my VB.net code.
-
2012年3月30日 下午 02:11
OK, so it seems reasonable enough, however, can you show me how this line of code can be replaced with my insert stored procedure because i am having a hard time figuring it out.
' Writes the MD5 hashed values of user and pass to a file named <user>.txt My.Computer.FileSystem.WriteAllText(StringtoMD5(user) & ".txt", StringtoMD5(user) & Chr(32) & StringtoMD5(pass), False) File.SetAttributes(StringtoMD5(user) & ".txt", FileAttributes.Hidden)the next piece of code is the one i use to insert, so how can it be modified to work with your MD5 function if you dont mind me asking.
Dim AccInsertcmd As New SqlCommand("insertMytable", conn) AccInsertcmd.CommandType = CommandType.StoredProcedure AccInsertcmd.Parameters.Add("@empid", SqlDbType.Int).Value = AccStaffIDTextBox.Text AccInsertcmd.Parameters.Add("@username", SqlDbType.VarChar).Value = AccUserTextBox.Text AccInsertcmd.Parameters.Add("@password", SqlDbType.VarChar).Value = AccPasswordTextBox.Text AccInsertcmd.ExecuteNonQuery() MessageBox.Show("successfully created account") Catch ex As Exception MessageBox.Show(" Account not created-" & ex.Message)
Hi again,
The MD5ToString() is a function. You are currently saving the strings of the username and password in plaintext. Keep in mind, I have no Database knowledge so I would not know how to verify the encrypted MD5 strings. You would have to create a new post regarding that.
Back on topic, to save the MD5 encrypted strings, you would do something like this:
Dim AccInsertcmd As New SqlCommand("insertMytable", conn) AccInsertcmd.CommandType = CommandType.StoredProcedure AccInsertcmd.Parameters.Add("@empid", SqlDbType.Int).Value = AccStaffIDTextBox.Text AccInsertcmd.Parameters.Add("@username", SqlDbType.VarChar).Value = StringToMD5(AccUserTextBox.Text) AccInsertcmd.Parameters.Add("@password", SqlDbType.VarChar).Value = StringToMD5(AccPasswordTextBox.Text) AccInsertcmd.ExecuteNonQuery() MessageBox.Show("successfully created account") Catch ex As Exception MessageBox.Show(" Account not created-" & ex.Message)Notice the use of the StringToMD5 function using the username string as a parameter and the password string as a parameter. This will return the MD5 values of the strings. Remember, this will only work on the VB.NET end, you will have to ensure (or write) code from your database end to check users using MD5. The database will have to be able to verify the accounts in the table with the accounts that are being logged in by hashing the table accounts and checking those for verification of correct credentials.
Also take Cor seriously but lightly at the same time as it will be beneficial to you. Learning is fun, but the less you concentrate on at one time, the easier it will be to learn what you wanted to learn.
Hope this helps,
- Jordan
Jordan St. Godard | Microsoft® Community Contributor 2011
- 已標示為解答 Shanks ZenMicrosoft Contingent Staff, Moderator 2012年4月9日 上午 08:14
- 已取消標示為解答 Synkhan 2012年4月16日 下午 01:42
- 已標示為解答 Synkhan 2012年4月16日 下午 01:42
-
2012年3月30日 下午 03:07Thanks for the advice, and help, will take it to heart, off to try out what you suggested.
-
2012年4月16日 下午 01:46Hi Jordan, your method works perfectly, to call the stored MD5 hashed text from the database, you simply call the string to MD5 function in the same way as done above if you are using a stored procedure, the function will convert the password and if both hashed passwords match , the login is successful. Many thanks again
-
2012年4月16日 下午 02:18No problem! Glad I was able to help. :)
Jordan St. Godard | Microsoft® Community Contributor 2011
double twoCents = .02; Console.WriteLine("$" + twoCents.ToString());
