0

I am working on an asp.net web application using VS2010 C#, which involves user registration and login. If the user while logging in, enters his password and attaches any number of white spaces in his password at the end, the application allows him to log in, irrespective of whether the password in the MS SQL SERVER database contains white spaces at the end or not. I want it to validate from the database the exact password user entered in the password field. Example: If in database password is saved as "mypass" and user enters password as "mypass " it allows login, and vice-versa.

I don't want to use trim because it will disallow the user to include white spaces in his password.

My password field is of the type: nvarchar(50)

Please help me with it..!

user3391912
  • 53
  • 1
  • 1
  • 6
  • 5
    You shouldn't store the password. You should hash (and salt) the value – podiluska Mar 12 '14 at 15:41
  • 1
    Trim removes only leading and trailing spaces, so it is fine here. But you are storing the passwords without encryption it's an absolute NO-GO. So: Trim the passwords and encrypt them afterwards (using salt is recommended). EDIT: by encrypting I mean a hash function – Lev Mar 12 '14 at 15:43
  • 3
    Never, ever, EVER store a plaintext password in the database. – khellang Mar 12 '14 at 15:45

2 Answers2

1

If you are storing plain text password in the database, you are doing it wrong.

The database should contain the hash of the password and the salt for this user.

When the user enters his password, you hash it using the users salt and compare it to the database.

nvoigt
  • 75,013
  • 26
  • 93
  • 142
1

As the other guys say, you shouldn't store them in plain text...

In answer to the question though, you can use the DATALENGTH() function to compare the length of the values as well:

DECLARE @pass AS VARCHAR(10) = 'pass '

SELECT (CASE WHEN @pass = 'pass' and DATALENGTH(@pass) = DATALENGTH('pass') 
             THEN 1 
             ELSE 0 
        END) AS IsMatch

This example will return false as the actual lengths of the values do not match although the passwords would otherwise.

Without the function comparing the length of data it would return true.

Note: the LEN() function ignores trailing spaces too so that would not work in place of DATALENGTH(), see here.

MS Quote on the issue:

The ANSI standard requires padding for the character strings used in comparisons so that their lengths match before comparing them. The padding directly affects the semantics of WHERE and HAVING clause predicates and other Transact-SQL string comparisons. For example, Transact-SQL considers the strings 'abc' and 'abc ' to be equivalent for most comparison operations.

Source: http://support.microsoft.com/kb/316626

Community
  • 1
  • 1
Tanner
  • 22,205
  • 9
  • 65
  • 83