locked
Login with Same Password Characters RRS feed

  • Question

  • User-1994446809 posted

    Hello Forum,<o:p></o:p>

    How do I make my password textbox on login form to check and accept the EXACT characters that is in the data table before logging in?<o:p></o:p>

    If a user types same words but different case, then it should not log in. example, if a user’s password is mErryD123 and the user types merryd123, then it should not login.<o:p></o:p>

    This is what I tried; but it seems not to work on my project

    Here is my Login Code<o:p></o:p>

    protected void Button1_Click(object sender, EventArgs e)
    {
        if (txtUsername.Text != "" & txtPassword.Text != "")
        {
            int user = 0;
            using (SqlCommand cmd = new SqlCommand("SELECT Uid FROM Users WHERE email = @email AND CAST(pass AS VARBINARY(MAX)) = CAST(@pass AS VARBINARY(MAX))"))
            {
                cmd.CommandType = CommandType.Text;
                cmd.Parameters.AddWithValue("@email", txtUsername.Text.Trim());
                cmd.Parameters.AddWithValue("@pass", txtPassword.Text.Trim());
                cmd.Connection = con;
                con.Open();
                user = Convert.ToInt32(cmd.ExecuteScalar());
                con.Close();
            }
            if (user > 0)
            {
                Session["user"] = user;
                Response.Redirect("Home.aspx");
            }
            else
            {
                dvMessage.Visible = true;
                lblMessage.Visible = true;
                lblMessage.ForeColor = System.Drawing.Color.Red;
                lblMessage.Text = "Invalid Login Details";
                txtPassword.Text = "";
            }
        }
        else
        {
            dvMessage.Visible = true;
            lblMessage.Visible = true;
            lblMessage.ForeColor = System.Drawing.Color.Red;
            lblMessage.Text = "All Fields are Required";
        }
    }
    Tuesday, September 22, 2020 9:18 AM

Answers

  • User-189459990 posted

    You don't need to modify password column type to "VARBINARY".

    In my test “casting to binary” works fine when directly used on database, but seems not work on a .NET application.

    Maybe you can use “collation” to achieve case sensitivity.

    Here is the sql.

    SELECT Uid FROM Users
         WHERE pass = @pass COLLATE SQL_Latin1_General_CP1_CS_AS
         AND email = @email
         AND pass = @pass

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, September 23, 2020 7:02 AM

All replies

  • User753101303 posted

    Hi,

    "Seems not to work". Instead tell rather what happens ie it matches when it shouldn't or it never matches? I tried:

    SELECT 'A' WHERE CAST('mErryD123' AS VARBINARY(max))=CAST('merryd123' AS VARBINARY(MAX)) -- not shown
    SELECT 'B' WHERE CAST('mErryD123' AS VARBINARY(max))=CAST('mErryD123' AS VARBINARY(MAX)) -- shown

    which give me the expected result. If it never matches I suspect you are perhaps using both VARCHAR and NVARCHAR which won't have the same binary representation.

    Another option could be to use COLLATE or to change the column definition using https://docs.microsoft.com/en-us/sql/relational-databases/collations/set-or-change-the-column-collation?view=sql-server-ver15 so that this column is case sensitive.

    My personal preference would be to consider using what ASP.NET offers out of the box ie https://docs.microsoft.com/en-us/aspnet/identity/overview/getting-started/introduction-to-aspnet-identity (you have something similar for ASP.NET Core).

    Tuesday, September 22, 2020 12:01 PM
  • User-1994446809 posted

    Hi,

    PatriceSc

    which give me the expected result. If it never matches I suspect you are perhaps using both VARCHAR and NVARCHAR which won't have the same binary representation.

    Okay; I am using NVARCHAR as data type for the password column. Should I change it to VARBINARY?

    Tuesday, September 22, 2020 12:57 PM
  • User-189459990 posted

    You don't need to modify password column type to "VARBINARY".

    In my test “casting to binary” works fine when directly used on database, but seems not work on a .NET application.

    Maybe you can use “collation” to achieve case sensitivity.

    Here is the sql.

    SELECT Uid FROM Users
         WHERE pass = @pass COLLATE SQL_Latin1_General_CP1_CS_AS
         AND email = @email
         AND pass = @pass

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, September 23, 2020 7:02 AM
  • User2041008840 posted

    you can apply String Comparison in C# to check whether the password is correct or not. this also check the upper cases and lower cases too.

    https://docs.microsoft.com/en-us/dotnet/api/system.stringcomparison?view=netcore-3.1

    Friday, September 25, 2020 12:14 PM