storedHash = (byte[])cmd.ExecuteScalar();
Yes that would do. However, you could simply do the comparison on SQL server side too. ie:private bool ValidateUser(string userName, string passWord) { // Check for invalid userName. // userName must not be null and must be between 1 and 15 characters. if (string.IsNullOrEmpty(userName) || (userName.Length > 15)) { System.Diagnostics.Trace.WriteLine("[ValidateUser] Input validation of userName failed."); return false; } // Check for invalid passWord. // passWord must not be null and must be between 1 and 25 characters. if (string.IsNullOrEmpty(passWord) || (passWord.Length > 25)) { System.Diagnostics.Trace.WriteLine("[ValidateUser] Input validation of passWord failed."); return false; } bool userExists = false; // convert string to stream byte[] byteArray = Encoding.UTF8.GetBytes(passWord); MemoryStream stream = new MemoryStream(byteArray); var sha1 = new SHA1CryptoServiceProvider(); byte[] hashedPassword = sha1.ComputeHash(stream); try { // Consult with your SQL Server administrator for an appropriate connection // string to use to connect to your local SQL Server. using (var conn = new SqlConnection(ConfigurationManager.ConnectionStrings["DocsTSConnectionString"].ConnectionString)) { // Create SqlCommand to select pwd field from users table given supplied userName. var cmd = new SqlCommand(@"Select cast( case when exists (select * from users where loginid=@userName and usr_passwordhash=@hashedPwd) then 1 else 0 end as bit)", conn); cmd.Parameters.AddWithValue("@userName", userName); cmd.Parameters.AddWithValue("@hashedPwd", hashedPassword); conn.Open(); userExists = (bool)cmd.ExecuteScalar(); conn.Close(); } } catch (Exception ex) { // Add error handling here for debugging. // This error message should not be sent back to the caller. System.Diagnostics.Trace.WriteLine("[ValidateUser] Exception " + ex.Message); } return userExists; }