byte[] storedHash = null; >storedHash = (byte)cmd.ExecuteScalar();>
private bool ValidateUser(string userName, string passWord) > { > SqlConnection conn; > SqlCommand cmd; > byte[] storedHash = null; > > // convert string to stream > byte[] byteArray = Encoding.UTF8.GetBytes(passWord); > MemoryStream stream = new MemoryStream(byteArray); > > var sha1 = new SHA1CryptoServiceProvider(); > byte[] hashedPassword = sha1.ComputeHash(stream); > > // Check for invalid userName. > // userName must not be null and must be between 1 and 15 characters. > if ((null == userName) || (0 == userName.Length) || (userName.Length > 15)) > { > System.Diagnostics.Trace.WriteLine("[ValidateUser] Input validation of userName failed."); > return false; > } > > // Check for invalid passWord. > // passWord must not be null and must be between 1 and 25 characters. > if ((null == passWord) || (0 == passWord.Length) || (passWord.Length > 25)) > { > System.Diagnostics.Trace.WriteLine("[ValidateUser] Input validation of passWord failed."); > return false; > } > > try > { > // Consult with your SQL Server administrator for an appropriate connection > // string to use to connect to your local SQL Server. > conn = new SqlConnection(ConfigurationManager.ConnectionStrings["DocsTSConnectionString"].ConnectionString); > conn.Open(); > > // Create SqlCommand to select pwd field from users table given supplied userName. > cmd = new SqlCommand("Select usr_passwordhash from users where loginid=@userName", conn); > cmd.Parameters.Add("@userName", SqlDbType.VarChar, 25); > cmd.Parameters["@userName"].Value = userName; > > storedHash = (Byte)cmd.ExecuteScalar(); > > // Cleanup command and connection objects. > cmd.Dispose(); > conn.Dispose(); > } > catch (Exception ex) > { > // Add error handling here for debugging. > // This error message should not be sent back to the caller. > System.Diagnostics.Trace.WriteLine("[ValidateUser] Exception " + ex.Message); > } > > // If no password found, return false. > if (null == storedHash) > { > // You could write failed login attempts here to event log for additional security. > return false; > } > > // Compare lookupPassword and input passWord, using a case-sensitive comparison. > return (storedHash.SequenceEqual(hashedPassword)); > > } >