1

Am developing a Web application using ASP.net, in the login page of my application am checking the given username and password with the value in the database, actually my username is "Admin" and password is "Password" but if I give "admin" as username and "password" as password, it accepts the username and password.

I want the password should be in case sensitive. When I went through the internet I got some points like changing the Collation property of CI(CaseInsensitive) to CS(Case Sensitive).....I think this is for the whole database....I dont like to set this for the whole database, I like to check only for the username and password..

Is it possible, can anyone help me here...

am trying like 

DataObject.Entities dataEntities=new DataObject.Entities();
DataObject.Users user=dataEntities.Users.Where(u=>u.UserName==UserName && u.Password==Password);

if(user != null)
// link to home page.
else
//login failed.
shanish
  • 1,964
  • 12
  • 35
  • 62
  • 1
    I can understand password case-sensitivity, but why for usernames? Also, show us some code. – kba Apr 21 '12 at 17:19
  • Which RDBMS are you using...SQL Server? – Aaron Apr 21 '12 at 17:20
  • thanks Kritian Antonsen for ur response, case sensitivity for username is not required as u said, but I need to check for the password, Kindly check my updated question – shanish Apr 21 '12 at 17:25
  • 1
    @Shanish Don't blindly use Xander's solution. It isn't secure at all. I suggest you read [How to safely store passwords](http://codahale.com/how-to-safely-store-a-password/) before you move on. – kba Apr 21 '12 at 17:34
  • thanks Kristian for ur kind response, I'll check it – shanish Apr 21 '12 at 17:50

4 Answers4

3

try using the following:

select username, password from users collate SQL_Latin1_General_Cp1_CS_AS

As noted in the comments, you shouldn't store passwords in plain-text. Why not use the out-of-box sql membership provider?

Alex
  • 34,899
  • 5
  • 77
  • 90
  • 3
    -1. You're doing him a disservice by not addressing the real issue here - that he's storing his passwords plaintext. – kba Apr 21 '12 at 17:24
  • 1
    it isn't my responsibility to teach him how to roll his own membership provider. this answer will perform a case-sensitive query. – Alex Apr 21 '12 at 17:25
  • Nothing is your responsibility, but you're not being helpful at all, you're deceiving him. – kba Apr 21 '12 at 17:27
  • +1 This actually answers the question. The OP might not be at liberty to change the way his database stores passwords. – Andomar Apr 21 '12 at 17:28
  • @Andomar Sometimes the best solution to a problem isn't to solve it, but rather to avoid the problem in the first place. This is one of those cases. – kba Apr 21 '12 at 17:38
  • thanks Xander and everyone commented here for ur response, am not much familiar with Sql and programming, actually am getting the passwords from the users, for example Staff, he gives his desired password when he create an account for him, with that password and his staffId he can login to the application. I dunno how to fix this – shanish Apr 21 '12 at 17:40
3

Why are you doing this in the database at all? The password should not be in plain text in the database, it should be encrypted for security reasons. Query the password out, then do the decryption and compare it in the app itself...

CodeRedick
  • 7,346
  • 7
  • 46
  • 72
  • 1
    Decryption? The password should be hashed, **not** encrypted using two-way encryption. If your database gets compromised, your application most likely is as well. – kba Apr 21 '12 at 17:31
  • check my updated question, how can encrypt, decrypt or hash the password – shanish Apr 21 '12 at 17:43
3

It sounds like you're doing something terrible wrong. If you used a decent cryptographic hash function for your passwords, this wouldn't be a problem at all.

When you store your passwords, you should hash them and save the hash to the database - not the actual password.

kba
  • 19,333
  • 5
  • 62
  • 89
  • thanks Kristian am not much familiar with Sql and programming, I dunno what hash is, actually am getting the passwords from the users, for example Staff, he gives his desired password when he create an account for him, with that password and his staffId he can login to the application.....I think I need to refer the hash function – shanish Apr 21 '12 at 17:36
3

Xander's answer explains how to do a case-insensitive compare.

However, you really shouldn't store plaintext passwords in your database. Instead, store the hash for the password. SQL Server provides the HashBytes function to assist with that:

select HashBytes('SHA1', 'YourPassword');

See this answer for a longer explanation.

Community
  • 1
  • 1
Andomar
  • 232,371
  • 49
  • 380
  • 404
  • Hashing is the right way to go, but [SHA1 is outdated](http://stacksmashing.net/2010/11/15/cracking-in-the-cloud-amazons-new-ec2-gpu-instances/). – kba Apr 21 '12 at 17:30