As previously stated; your code is ripe with an
SQL Injection Vulnerability.
NEVER EVER string together and Sql Command with user input, you should always use
Parameter
s to add user content to a command. This also has the benefit that the SQL Data Provider will set the types (INT, VARCHAR, DATE) automatically based on the content being provided (as long as it is not
NULL).
The way I would write the code out would be to follow this order of operations:
1. SQL Command to retrieve the
Password based on the UserName.
2. Execute Scalar the command- if no return the
UserName was not found.
3. Use whatever
Hash
function was applied to the saved password on the return
4. Compare the hashed version of the password attempt to what was saved in the DB
This is the basic structure of what this would look like. You will need to adjust the code accordingly for your table structure and functions
(
Sorry I do not have the time to research what you have in use and this keyboard is bad so I have omitted some characters/brackets)
SqlCommand cmd = new SqlCommand("SELECT PasswordHash FROM AccountTable WHERE UserName = @UserName", conn);
cmd.Parameters.AddWithValue("UserName", TextBox1.Text);
conn.Open();
var SqlReturn = cmd.ExecuteScalar();
if (SqlReturn == null)
else
string PasswordAttempt = HashFunctionName(TextBox2.Text);
if (PasswordAttempt != SqlReturn.ToString()
else