Home > Software engineering >  User Inputs word in password and converts into asterisk into database table (C# Web Forms Asp.Net) (
User Inputs word in password and converts into asterisk into database table (C# Web Forms Asp.Net) (

Time:05-03

We are doing food ordering system and my task is to make sign up and sign in page. My question is, I want the inputed password by the user which is a word to be an asterisk when it is inserted into the database table, like, my password is foodrder and it will be converted to ******** into the database column for password. Also, after the first one is solved, is how to login using the password as word not asterisk by comparing the username and password as a word in the database table, since the password in the database is written as asterisk(AFTER THE FIRST PROBLEM IS SOLVED). Oh last one, how to validate a gmail? If the gmail exists or not?

CodePudding user response:

I want the inputed password by the user which is a word to be an asterisk when it is inserted into the database table,

It does not work that way. Besides, none of your users will ever see or directly edit or have use of that data table, so at the end of the day, it don't matter.

As others pointed out, as a general rule, we don't store passwords in plane text.

but your decision to do this does NOT matter in regards to the showing of "****" in the password text box - they are SEPERATE issues and goals.

Give the above? Then your question is really this:

How can I query a database for a invoice number?

Or how can I query a database for email and password entered?

So, this now is a simple database query issue. The issue of storing the user passwords in plain text or not is ZERO effected by you deciding to display "****" in the password text box.

So, either you adopt some software to encrypt the password, or you do not. But, that "encrypted" password ALSO will not show as "*****" in the database, but will be stored as plane text - just not meaning much of anything.

So, if you look at the database, you will NOT see "****", but simple some funny mixed up text - text that will not work if entered for that password.

At that point, you would then (hopefully) run the inputted plane jane password string though some encryption routine, and then THAT is the value you will query against in your "users" database.

But, at no time if you were to look at the columns in the databbase for the passwords, you will NOT see "****", but in fact plane jane text.

So, if you say type in "foodrder" as the password, then you call your encryption routine, and it might spit out "**&##43kkkkzzz". So that is the string that you store in the database.

So, for now, you can continue to write and setup this learning system - and you can store the passwords in plain text. You don't mention if you are supposed to use a particular encryption routine provided for you, or are you to setup one of your choosing? Given this is such a huge topic - encryption and security - that would be a 2 or 3 year course ALONE ON THIS ONE subject?

Then it seems to me your teacher is a drunken unemployed rodeo clown to not have addressed this issue for you.

In other words, what encryption routines to be used can not POSSBILE just be left up to the students on this matter. I suggest your teacher thus go get a job in the fast food industry, or maybe take up a course at some truck driving school.

Remember, the point here is that the encryption issue could not possible just been left up in the air by the teacher. This issue is either stated by the teacher that you don't have to worry about this issue, or YOU WILL BE GIVEN a pre-made routine or library that you supposed to use here.

In fact, either the teacher says for this assignment that plane text storage of passwords is ok, or it is not. (it is this issue being left out that I have a huge problem with - it not possible nor practical that the teacher left this issue out - it is just not.

As a result, the teacher would have been dropped on a cement floor too many times, and has suffered some form of brain damage - there is no other logical conclusion a reasonable human being can make here.

Now, it is possible YOU WERE given some choice in regards to what encryption to use - but the fact of this issue not being noted here is the teachers fault - not yours.

So, the code we need to check/test for the email and password will look like this:

From the web page, we :

Get entered email
Gen entered password.

Run password though encryption routine.

Now, query database with email and encrypted password for a match.

And as I stated, this means your question REALLY is how can I query a database for email, a invoice number, or how about a email and password?

So, our markup might look like this:

<div style="width:25%;text-align:right;border:solid;padding:25px">
    Enter your user name: 
    <asp:TextBox ID="txtUser" runat="server" Width="232px"></asp:TextBox>
    <br />
    <br />
    Enter your password:
    <asp:TextBox ID="txtPassword" runat="server" Width="232"
        TextMode="Password" > </asp:TextBox>
    <br />
    <asp:Label ID="lblMsg" runat="server" Text=""></asp:Label>
    <br />
    <br />
    <asp:Button ID="cmdLogin" runat="server" Text="Login" 
        CssClass="btn" OnClick="cmdLogin_Click" />
</div>

And we now have this:

enter image description here

And now our code behind for the logon button could be this:

    protected void cmdLogin_Click(object sender, EventArgs e)
    {
        if (txtUser.Text == "")
        {
            // user did not enter name - give message and exit
            lblMsg.Text = "Please enter a user name";
            return;
        }

        if (txtPassword.Text == "")
        {
            // user did not enter name - give message and exit
            lblMsg.Text = "Please enter a password";
            return;
        }

        string passwordtest = "";

        // routine here to encrypt passwrod
        // for now, just use plain text
        passwordtest = txtPassword.Text;

        using (SqlConnection conn = new SqlConnection(Properties.Settings.Default.TEST4))
        {
            string strSQL = "SELECT * FROM tblUsers WHERE UserName = @User AND Password = @Pass";

            using (SqlCommand cmdSQL = new SqlCommand(strSQL, conn))
            {
                conn.Open();

                DataTable rstUser = new DataTable();
                rstUser.Load(cmdSQL.ExecuteReader());

                if (rstUser.Rows.Count = 0)
                {
                    // user logoon fail, give message
                    lblMsg.Text = "logon or possword incorrect - try again";
                }
                else
                {
                    // logon ok!!! - 
                    Response.Redirect("~/Portal/UserWelcome.aspx");
                }
            }
        }
    }

So, we simple query the database of users (tblUsers) in this example.

If a database row is returned, then we jump onto some welcome page, if user or password does not exist, then we set a "message" in the label area.

So "how" to do this is a simple query of the database as per above. The only issue is are you to use some kind of encryption for the password part. But during a logon, the user DOES type in their password as plain text - we simple set the text box mode to "password" and that will display "****" for the people looking at the web page, but behind, it is raw plane text as the actual user password typed in.

CodePudding user response:

I found out the Solution for my problem recently by using this code and by comparing ecrypted password into database to textbox words b using the decrypted pass in the database.

public string DecryptString(string encrString)
    {
        byte[] b;
        string decrypted;

        try
        {
            b = Convert.FromBase64String(encrString);
            decrypted = System.Text.ASCIIEncoding.ASCII.GetString(b);

        }
        catch (FormatException fe)
        {
            decrypted = " ";
        }
        return decrypted;
    }
    public string EncryptString(string strEncrypted)
    {
        byte[] b = System.Text.ASCIIEncoding.ASCII.GetBytes(strEncrypted);
        string encrypted = Convert.ToBase64String(b);
        return encrypted;
    } 
  SqlConnection cn = new SqlConnection(@"Your Connection String")

            SqlCommand cmd2 = cn.CreateCommand();
            cmd2.CommandType = CommandType.Text;
            cmd2.CommandText = "Select Password from CustomerInfo where 
            Username='"   txtLoginU.Text   "'";
            String temp2 = (string)cmd2.ExecuteScalar();
 string decryption = DecryptString(temp2.ToString());
                
                try
                {

                    using (SqlCommand command = new SqlCommand("SELECT * FROM CustomerInfo where Username =@username", cn))/*and Password = @password <-- Add if compare username together with password(encrypted)*/
                    {
                       
                        command.Parameters.AddWithValue("@username", txtLoginU.Text);
                      //  command.Parameters.AddWithValue("@password", txtLoginP.Text);
                        SqlDataReader reader = command.ExecuteReader();
                        if (reader.HasRows  && status == "unverified" && txtLoginP.Text == decryption)
                        {
                                string toAdd = checkEmail;

                                try
                                {


                                    using (MailMessage mail = new MailMessage())
                                    {
                                        mail.From = new MailAddress("youremail");
                                        mail.To.Add(toAdd);
                                        mail.Subject = "Email Verification";
                                        mail.Body = "Hello"   body   ","   " This is your verfication code:"   id2;
                                        mail.IsBodyHtml = true;

                                        using (SmtpClient smtp = new SmtpClient("smtp.gmail.com", 587))
                                        {
                                            smtp.Credentials = new System.Net.NetworkCredential("yourgmail", "password");
                                            smtp.EnableSsl = true;
                                            smtp.Send(mail);
                                            ScriptManager.RegisterStartupScript(this, this.GetType(), "script", "swal('Email Sent', 'Email sent successfully', 'success');", true);
                                        }
                                    }


                                }
                                catch (Exception ex)
                                {
                                    ScriptManager.RegisterStartupScript(this, this.GetType(), "script", "swal('Email Not Sent', 'Email sent unsuccessfully', 'warning');", true);
                                }
                                Session["Verify"] = id2;
                                Session["Username"] = toAdd;
                                ScriptManager.RegisterStartupScript(this, this.GetType(), "alert", "swal('Verify Account','Verification Code has been sent to your Gmail Account','warning').then((value) => { window.location ='Verify.aspx'; });", true);
                           
                        }
  • Related