byte[] storedHash = null; >>storedHash = (byte)cmd.ExecuteScalar();>>
private bool ValidateUser(string userName, string passWord) >> { >> SqlConnection conn; >> SqlCommand cmd; >> byte[] storedHash = null; >> >> // convert string to stream >> byte[] byteArray = Encoding.UTF8.GetBytes(passWord); >> MemoryStream stream = new MemoryStream(byteArray); >> >> var sha1 = new SHA1CryptoServiceProvider(); >> byte[] hashedPassword = sha1.ComputeHash(stream); >> >> // Check for invalid userName. >> // userName must not be null and must be between 1 and 15 characters. >> if ((null == userName) || (0 == userName.Length) || (userName.Length > 15)) >> { >> System.Diagnostics.Trace.WriteLine("[ValidateUser] Input validation of userName failed."); >> return false; >> } >> >> // Check for invalid passWord. >> // passWord must not be null and must be between 1 and 25 characters. >> if ((null == passWord) || (0 == passWord.Length) || (passWord.Length > 25)) >> { >> System.Diagnostics.Trace.WriteLine("[ValidateUser] Input validation of passWord failed."); >> return false; >> } >> >> try >> { >> // Consult with your SQL Server administrator for an appropriate connection >> // string to use to connect to your local SQL Server. >> conn = new SqlConnection(ConfigurationManager.ConnectionStrings["DocsTSConnectionString"].ConnectionString); >> conn.Open(); >> >> // Create SqlCommand to select pwd field from users table given supplied userName. >> cmd = new SqlCommand("Select usr_passwordhash from users where loginid=@userName", conn); >> cmd.Parameters.Add("@userName", SqlDbType.VarChar, 25); >> cmd.Parameters["@userName"].Value = userName; >> >> storedHash = (Byte)cmd.ExecuteScalar(); >> >> // Cleanup command and connection objects. >> cmd.Dispose(); >> conn.Dispose(); >> } >> catch (Exception ex) >> { >> // Add error handling here for debugging. >> // This error message should not be sent back to the caller. >> System.Diagnostics.Trace.WriteLine("[ValidateUser] Exception " + ex.Message); >> } >> >> // If no password found, return false. >> if (null == storedHash) >> { >> // You could write failed login attempts here to event log for additional security. >> return false; >> } >> >> // Compare lookupPassword and input passWord, using a case-sensitive comparison. >> return (storedHash.SequenceEqual(hashedPassword)); >> >> } >>