How to authenticate login with a pre-hashed mysql password in C#?

Question

So, in my mysql database, I have a whole table for users which contains hashed (with the PASSWORD() mysql function) passwords. In C#, I made a program that can insert new records into the database and display existing ones.

Now I'm at the stage when I want to make a login, which checks if the entered data (username and password) equal to the ones that are in the users table. (The users table contains id, username, password columns.)

What I tried so far:

In my class that is for database operations: (The c.conn, c.open(), c.close() are just functions defined by me in a class called Connect.)

public bool logIn(string usrName, string pswd)
        {
            bool success = false;
            string dbusrname; string dbpswd;
            c.open();
            string hashedEnteredPswd = "PASSWORD(@password);";
            cmd = new MySqlCommand(hashedEnteredPswd, c.conn);
            cmd.Parameters.AddWithValue("@password", pswd);
            cmd.ExecuteNonQuery();
            c.close();
            query = "SELECT * FROM admins;";
            c.open();
            cmd = new MySqlCommand(query, c.conn);
            var reader=cmd.ExecuteReader();
            while (reader.Read())
            {
                dbusrname = reader["users"].ToString();
                dbpswd = reader["password"].ToString();
                if (dbusrname == usrName && dbpswd == hashedEnteredPswd)
                {
                    success = true;
                }
                else
                {
                    success = false;
                }
            }
            c.close();
            return success;
        }

In the code of my form:

        private void Container_Load(object sender, EventArgs e)
        {
            c.open();
            clearPanels();
            panelLogIn.Visible = true;
        }

        private void buttonLogIn_Click(object sender, EventArgs e)
        {
            if (dbops.logIn(textBoxUID.Text, textBoxPSWD.Text))
            {
                clearPanels();
                panelMain.Visible = true;
            }
        }

In my misery, I tried hashing the entered password with a mysql function in C#(I know, I know...)

Ofc when If I run this, I get the following exception: MySql.Data.MySqlClient.MySqlException: 'PROCEDURE test.PASSWORD does not exist' which is expected and I understand why it doesn't work.

But then, how should do this correctly? How on earth do I make it work?

Answer 1

By your code, you check each user in the database and compare it. That's not efficient.

The "SQL way" to do that is querying exactly what you need.

string query = "SELECT user FROM admins WHERE username = " + username + " AND password = " + password;

(Note that this solution is not safe againts SQL injections and not elegent, Learn more about adding parameters)

Regarding your error, You have tried to hash using PASSWORD function that has been deprecated for version > 5.7.5. Here are some other ways to hash your passwords.

Answer 2

There are mentions (though nothing official), that mysql Password function does the following

"*" + SHA1(SHA1(pass)) 

This is not to be relied upon.

You could try the following though (it's not advised, but it might solve your problem).

// remove the previous commands 
query = "SELECT * FROM admins Where password = PASSWORD(@password);

Then create the parameter for the query.

Best way to do it though, would be to hash it yourself with a modern hashing algorithm before inserting it into the database, and rehash it before checking it. Ignore the password function altogether.