Login Comparing hash value in a database

Question

I am attempting to make a simple sign on portion of an app I am creating. To confirm sign in, I am just attempting to make sure that the hash value of the password entered, matches that which is stored in my local database: App_Users ) '

ButtonClick:

        string AppUsername = textBox2.Text.ToString();
        string AppPassword = textBox1.Text.ToString();
        //- Hashed-V-
        byte[] salt;
        new RNGCryptoServiceProvider().GetBytes(salt = new byte[16]);
        var pbkdf2 = new Rfc2898DeriveBytes(AppPassword, salt, 10000);
        byte[] hash = pbkdf2.GetBytes(20);
        byte[] hashBytes = new byte[36];
        Array.Copy(salt, 0, hashBytes, 0, 16);
        Array.Copy(hash, 0, hashBytes, 16, 20);
        string savedPasswordHash = Convert.ToBase64String(hashBytes);                                                                   //              <--  see ' https://stackoverflow.com/questions/4181198/how-to-hash-a-password ' for the part on comparing the recalculated 
        //-
        SqlConnection con = new SqlConnection();
        con.ConnectionString = ("Data Source=DESKTOP-PGHMM6M;Initial Catalog=LocalUsers;Integrated Security=True");
        con.Open();                

        var cmd = new SqlCommand(@"SELECT Username, Hash FROM App_Users WHERE (Hash = @Hash");
        cmd.Connection = con;
        savedPasswordHash = cmd.ExecuteScalar() as string;

        if (cmd.ExecuteNonQuery() > 0) {
            MessageBox.Show(" Query successful..something matched..  ");
            //change page.. load a profile? 
        }

However, I am getting the error:

 'Must declare the scalar variable "@Hash".'

I've searched around but I'm not sure what the next step for exactly what I am trying to do is.. Sorry this is probably a bad question, sql-wise. I think it has something to do with an adapter?

if you use parameters, you actually have to add them! See https://learn.microsoft.com/en-us/dotnet/framework/data/adonet/commands-and-parameters — Mitch Wheat, Dec 15 '18 at 04:55

score 0 · Accepted Answer · answered Dec 15 '18 at 05:00

You didn't pass a value for the @Hash parameter in the query. And you should also check for the user name in the query or else the login attempt is successful if any login uses the given password.

Try something like:

...
var cmd = new SqlCommand(@"SELECT Username, Hash FROM App_Users WHERE Hash = @Hash AND Username = @Username");
cmd.Connection = con;
cmd.Parameters.Add("@Hash", SqlDbType.VarChar, 48).Value = savedPasswordHash;
cmd.Parameters.Add("@Username", SqlDbType.NVarChar, 32).Value = AppUsername;

if (cmd.ExecuteNonQuery() > 0) {
...

This assumes, that App_Users.Hash is a VARCHAR(48) and App_Users an NVARCHAR(32). You may need to change it to match the data types you're actually using.

Definitely my mistake >.< Thank you! it's no longer throwing any errors. It's still not showing the messageBox though. Is there any other trick to confirm it's working? ( besides executenonquery) — Jponder23, Dec 15 '18 at 07:31

Login Comparing hash value in a database

1 Answers1