|
thank you Alan
Thanks
Rahul Vairagi
-----------------------------------
www.sqlserver2005forum.blogspot.com
|
|
|
|
|
Development Environment:
Microsoft Visual Studio 2010 Ultimate,
C#,
MySql
Hi, I've create a function in mysql which accept 3 parameter to validate username and password.
DELIMITER $$
USE `generalledger`$$
DROP FUNCTION IF EXISTS `fLogin_Check`$$
CREATE DEFINER=`root`@`localhost`
FUNCTION `fLogin_Check`
(mUserName VARCHAR(50),mUserPass VARCHAR(40),mUserKey VARCHAR(40)) RETURNS INT
BEGIN
DECLARE mCount INT;
SELECT COUNT(*) INTO mCount FROM userMaster
WHERE userName = mUserName
AND AES_DECRYPT(userPass, mUserKey) = UPPER( mUserPass);
IF mCount > 0 THEN
RETURN 1;
ELSE
RETURN 0;
END IF;
END$$
DELIMITER ;
As you can see I am using AES_DECRYPT function of MySql to check password, because I've use AES_ENCRYPT for password when INSERT username and password to mysql table.
Now I need to call the function fLogin_Check in C#, which I am doing by using following class method:
public int CheckUser(string mUserName, string mPass, string mKey)
{
oCn = da.GetConnection();
int res;
if (oCn == null)
{
oCn.Open();
}
sInsProcName = "fLogin_Check";
insertcommand = new MySqlCommand(sInsProcName, oCn);
insertcommand.CommandType = CommandType.StoredProcedure;
insertcommand.Parameters.Add(new MySqlParameter("mRes", MySqlDbType.Int32, 0));
insertcommand.Parameters["mRes"].Direction = ParameterDirection.ReturnValue;
insertcommand.Parameters.Add("mUserName", MySqlDbType.VarChar, 50, mUserName);
insertcommand.Parameters.Add("mUserPass", MySqlDbType.VarChar, 40, mPass);
insertcommand.Parameters.Add("mUserKey", MySqlDbType.VarChar, 40);
insertcommand.Parameters["mUserKey"].Value = mKey;
res = insertcommand.ExecuteNonQuery();
return (res);
oCn.Close();
}
oCn is the connection abject which uses to call GetConnection method define in my DAL class and da is the object created from DAL class, use to opening and closing database connection.
Using following Global class I am storing username and password after user enter them, and then try to validating with fLogic_Check Mysql function:
public static class Globals
{
public static string userName;
public static string userPass;
public const string sKey = "AHMEDFINANCEICMAP1122";
}
sKey is the key I use to encrypt password when insert username. Now I am trying to use it in C# from Login Form when user enter Username and Password and click login button with following code:
private void btnCheck_Click(object sender, EventArgs e)
{
Globals.userName = txtUser.Text.ToString();
Globals.userPass = txtPass.Text.ToString();
if (fUser.CheckUser(Globals.userName, Globals.userPass, Globals.sKey) == 0)
{
MessageBox.Show("Invalid Username or Password.");
}
else
{
MessageBox.Show("Login Successfull");
}
}
It always return 0, means failed login. I've checked the Mysql function in MySql GUI and it works fine:
SELECT fLogin_Check("AHMED","AHMED1981","AHMEDFINANCEICMAP1122") FROM userMaster
Which successfully return 1, however it fails when calling in C#. I've also tried to access Parameter which I've comment out after failure...What am I doing wrong?
Please guide..
Ahmed
|
|
|
|
|
I do not know why your function fails, but I want to tell you that you use the wrong concept:
Passwords have to be salted and hashed, not encrypted!
|
|
|
|
|
Thanks for your reply...
I've found lots of suggestion for encrypt the password is far better then salted and hashed method..But for now that is not the matter, I am looking for solution for MySql function not working in C#. Any ideas/suggestion for that??
|
|
|
|
|
ahmed_one wrote: I've found lots of suggestion for encrypt the password is far better then salted and hashed method
Where? The consensus from every decent security expert is that salted hashed passwords are far superior to encrypted passwords.
Even if the encryption key isn't compromised, encryption tends to produce the same output given the same input, which can make it trivial to compromise a large number of user's passwords. For example: http://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/[^]
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
ahmed_one wrote: I've found lots of suggestion for encrypt the password is far better then salted and hashed method Anyone who understands the difference can point out that this is incorrect.
If you store my password (encrypted), then YOU (and your boss, and everyone else in your company, and all subcontractors, and the cleaning-lady when you're AFK) will be able to decrypt the password. Next to having access to all the data you're supposed to secure, there's a huge chance that the user recycled one of his old passwords. Enough databases leaked with encrypted passwords to give us a nice and huge dictionary.
Salt and hash, or omit the password entirely; the only thing worse than no security is a FALSE sense of security.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
when creating new user account the password is encrypted via AEC_ENCRYPT function of mysql using a secret key which is only known by me.
Let's say user James's account is created with:
Username: James
Password: somesecretword
Now when password is saved in mysql db using AES_ENCRYPT it becomes something like "$-3+%,%kjunbsnd". Now when validation procedure is called it is using the AES_DECRYPT function using same key only i know, which validates the password alongwith username..
My question is how can anyone including the cleaning lady find the actual password without knowing the secret key?
Please do not consider this reply as argue, I am only a beginner trying to learn from experience masters like you.
Thanks
Ahmed
|
|
|
|
|
ahmed_one wrote: using a secret key which is only known by me.
Bullshit! It's known by the system because the system needs the key to unencrypt the password. Can you GUARANTEE with YOUR LIFE that your system is unhackable and there is zero chance of anyone else getting that key?? If you answer yes, quit your job right now because you're lying to everyone, but even worse, you're lying to yourself.
ahmed_one wrote: Now when password is saved in mysql db using AES_ENCRYPT it becomes something like "$-3+%,%kjunbsnd". Now when validation procedure is called it is using the AES_DECRYPT function using same key only i know, which validates the password alongwith username..
This is completely INSECURE! The best security systems do NOT compare a typed password against a decrypted password. They compare a hashed password against the hash in the database. No decryption necessary and the passwords are never "out in the open" in decrypted form.
YOU ARE HELL BENT ON DOING THIS THE WRONG WAY! DON'T DO IT!
|
|
|
|
|
ahmed_one wrote: which is only known by me. That's the problem. You should not have access to other people's passwords, end of story.
ahmed_one wrote: I am only a beginner trying to learn from experience masters like you. If you did, you'd be asking for explanation on the salt.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
ahmed_one wrote: I've found lots of suggestion for encrypt the password is far better then salted and hashed method
Really? I'd be willing to bet every single one of those "suggestions" was written by a security moron. The problem with encrypting a password is that it can be unencrypted and therefor broken. A salted and hashed password cannot be reversed to get the original string, making it FAR more secure.
|
|
|
|
|
just to answer you question - ExecuteNonQuery() return the number of rows effected which is zero ! Try using ExecuteScalar() !
Shujaat
|
|
|
|
|
I am reading a file and extracting a string
AB01AN728930JJ7YI8
VD036583AH84000002
In this string we have differenct section like AB,01,AN728930,JJ7YI8 in one line second line has VD,036583,AH84,000002
now there will be predefined line and predefined sections in string and each section will have some common validation like length, data type etc.
What is the best way of processing the validation on each character set
|
|
|
|
|
Try regex, The 30 Minute Regex Tutorial[^]
This tutorial will take you more than 30 minutes to read and understand if you are the first timer.
Formulate the regex patterns according to your respective validation rules.
|
|
|
|
|
how to read character from a particular position to a particular position in REGEX
|
|
|
|
|
You don't. RegEx uses patterns to match against, not positions.
If you know the specific positions, then you can just use the Substring method of the String class to get it. Start at this position and return x number of characters.
|
|
|
|
|
How many variants are there on the split up of the string ? - you show two, ie,
If String Starts With 'AB', then Format is AB, XX, YYYYYYYY, ZZZZZZ
If String Starts With 'VD', then Format is VD, XXXXXX, YYYY, ZZZZZZ
Before you go reaching for Regex, Id almost be suggesting that you look at Recursive Descent Parsing, or a parser based on a Grammar, using ANTLR perhaps - this would allow you to have rules, validation built in
'g'
|
|
|
|
|
how to split all hindi unicode characters.
StringBuilder sb = new StringBuilder();
string[] data = textBox1.Text.Split(new char[] { ' ' });
foreach (string s in data)
{
Regex ex = new Regex(@"(\w|\d)",RegexOptions.CultureInvariant);
MatchCollection col = ex.Matches(s);
foreach (Match mat in col)
{
// string d = Worddictonary[mat.ToString()];
sb.Append(mat.ToString());
sb.Append("\n");
}
}
For the input मोहनदास I am getting the output as
म ह न द स
The desired output is
म ो ह न द ा स
Can anyone please help to split Unicode Hindi string. Its very urgent.
Thanks in advance..
|
|
|
|
|
Unfortunately the 'normal' rules for string splitting often do not work for non-Latin languages. You will have to write your own parser that recognises the different characters.
Veni, vidi, abiit domum
|
|
|
|
|
string[position] returns the character at the given position. I just tested it with your example text, and it worked correctly:
private void button1_Click(object sender, EventArgs e)
{
StringBuilder sb = new StringBuilder();
for (int i = 0; i < textBox1.Text.Length; i++)
{
char indianChar = textBox1.Text[i];
sb.Append(indianChar);
sb.Append(" ");
}
MessageBox.Show(sb.ToString());
}
|
|
|
|
|
I am working on a touch surface, I need to create two desktops on a single surface running on a single Operating System (Windows 7), so that two users can simultaneously use them. Please guide me where to start and provide related links.
|
|
|
|
|
Saad.0071 wrote: Please guide me where to start and provide related links. Google and MSDN would be the logical choice.
Veni, vidi, abiit domum
|
|
|
|
|
Only a single desktop can be shown simultaneous. That's a technical limitation in Windows.
You could show two remote desktops on a single screen.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
Do I understand that correctly:
- there is only one computer.
- that computer runs Windows 7
- there are two monitors attached to this computer.
- there are two users, each of them uses one of the monitors
The limitation of Windows 7 is that only one user can have an interactive session at a time. Hence, from the point of view of Windows, there is only one user in your scenario (i.e. both of your users work in the same session, with the same Windows account).
All user interface elements run in the UI thread of the program instance - a real multitasking is not possible with the user interface. You could circumvent that by starting two instances of your program. Each instance would communicate with a "server" (a Windows Service) which provides the back-end for your UI applications and which may run on the same computer.
|
|
|
|
|
Hi
Leslie Sanford created a midi toolkit:
http://www.codeproject.com/Articles/6228/C-MIDI-Toolkit
I have a question:
How we can store (For example in a text file) the converted midi to frequecy list and duration.
thanks
|
|
|
|
|
If you have a question about an article, use the forum at the bottom of the article:
C# MIDI Toolkit : Comments & Discussions[^]
The author of the article will be the person most likely to be able to answer your question.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|