>Hi,
>
>I'm making my first foray into trying to store hashed passwords instead of the actual password for user access.
>
>I've created a user table in SQL Server and have a column called PasswordHash of type varbinary(50).
>
>I tried to read it out like this:
>
>

byte[] storedHash = null;
>storedHash = (byte)cmd.ExecuteScalar();

>
>but I'm not sure what type it comes back as if the SQL data type is varbinary(50), or how to convert it properly.
>
>Here's the full C# code:
>
>

        private bool ValidateUser(string userName, string passWord)
>        {
>            SqlConnection conn;
>            SqlCommand cmd;
>            byte[] storedHash = null;
>
>            // convert string to stream
>            byte[] byteArray = Encoding.UTF8.GetBytes(passWord);
>            MemoryStream stream = new MemoryStream(byteArray);
>
>            var sha1 = new SHA1CryptoServiceProvider();
>            byte[] hashedPassword = sha1.ComputeHash(stream);
>
>            // Check for invalid userName.
>            // userName must not be null and must be between 1 and 15 characters.
>            if ((null == userName) || (0 == userName.Length) || (userName.Length > 15))
>            {
>                System.Diagnostics.Trace.WriteLine("[ValidateUser] Input validation of userName failed.");
>                return false;
>            }
>
>            // Check for invalid passWord.
>            // passWord must not be null and must be between 1 and 25 characters.
>            if ((null == passWord) || (0 == passWord.Length) || (passWord.Length > 25))
>            {
>                System.Diagnostics.Trace.WriteLine("[ValidateUser] Input validation of passWord failed.");
>                return false;
>            }
>
>            try
>            {
>                // Consult with your SQL Server administrator for an appropriate connection
>                // string to use to connect to your local SQL Server.
>                conn = new SqlConnection(ConfigurationManager.ConnectionStrings["DocsTSConnectionString"].ConnectionString);
>                conn.Open();
>
>                // Create SqlCommand to select pwd field from users table given supplied userName.
>                cmd = new SqlCommand("Select usr_passwordhash from users where loginid=@userName", conn);
>                cmd.Parameters.Add("@userName", SqlDbType.VarChar, 25);
>                cmd.Parameters["@userName"].Value = userName;
>
>                storedHash = (Byte)cmd.ExecuteScalar();
>
>                // Cleanup command and connection objects.
>                cmd.Dispose();
>                conn.Dispose();
>            }
>            catch (Exception ex)
>            {
>                // Add error handling here for debugging.
>                // This error message should not be sent back to the caller.
>                System.Diagnostics.Trace.WriteLine("[ValidateUser] Exception " + ex.Message);
>            }
>
>            // If no password found, return false.
>            if (null == storedHash)
>            {
>                // You could write failed login attempts here to event log for additional security.
>                return false;
>            }
>
>            // Compare lookupPassword and input passWord, using a case-sensitive comparison.
>            return (storedHash.SequenceEqual(hashedPassword));
>
>        }
>

It looks like this should do the trick:

storedHash = (byte[])cmd.ExecuteScalar();