Insert into DB fails while encrypting the password in asp.net mvc

Question

I'm developing an application using ASP.Net mvc.I have a sign up form.When a user enters the password ,I would like to encrypt the password and store in database.My code fails when I encrypt the password and try to insert it into the database. Please look at my code and let me know if it's wrong .

During Insertion ,I'm hitting the error : "Value cannot be null.Parameter name: input" My Controller is :

  using CTCFremont.Models;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Helpers;
using System.Web.Mvc;

namespace CTCFremont.Controllers
{
    public class UserLoginController : Controller
    {
        private CTCFremontEntities db = new CTCFremontEntities();

        //
        // GET: /UserLogin/Create

        public ActionResult Index()
        {

            return View();
        }

        public ActionResult Create()
        {
            return View();
        }

        //
        // POST: /UserLogin/Create

        [HttpPost]
        public ActionResult Create(UserLogin userlogin)
        {
            if (ModelState.IsValid)
            {
                userlogin.Pass = Crypto.SHA256(userlogin.Pass);
                db.UserLogins.Add(userlogin);
                db.SaveChanges();
                return RedirectToAction("Index");
            }

            return View(userlogin);
        }



        protected override void Dispose(bool disposing)
        {
            db.Dispose();
            base.Dispose(disposing);
        }
    }
}

My view is :

@model CTCFremont.Models.UserLogin

@{
    ViewBag.Title = "SignUp";
    Layout = "~/Views/Shared/_Layout.cshtml";
}

<script src="https://code.jquery.com/jquery-2.1.4.js"></script>
<script src="~/Scripts/jquery.validate.js"></script>
<script src="~/Scripts/jquery.validate.unobtrusive.js"></script>
<h2>Sign Up!</h2>

@using (Html.BeginForm()) {
    @Html.AntiForgeryToken()
    @Html.ValidationSummary(true)

    <fieldset >
        <legend>Submit your details </legend>

        <div class="editor-label">
            @Html.LabelFor(model => model.UserName)
        </div>
        <div class="editor-field" >
            @Html.EditorFor(model => model.UserName)
            @Html.ValidationMessageFor(model => model.UserName)
        </div>

        <div class="editor-label">
            @Html.LabelFor(model => model.Email)
        </div>
        <div class="editor-field" >
            @Html.EditorFor(model => model.Email)
            @Html.ValidationMessageFor(model => model.Email)
        </div>

        <div class="editor-label">
            @Html.LabelFor(model => model.Pass)
        </div>
        <div class="editor-field" >
            @Html.EditorFor(model => model.Pass, new { id = "Password" })
            @Html.ValidationMessageFor(model => model.Pass)
        </div>

        <div class="editor-label">
            @Html.LabelFor(model => model.Confirm)
        </div>
        <div class="editor-field" >
            @Html.EditorFor(model => model.Confirm, new { id = "Confirmation" })
            @Html.ValidationMessageFor(model => model.Confirm)
        </div>

        <p>
            <input type="submit" value="Submit" />
        </p>
    </fieldset>
}

@section Scripts {
    @Scripts.Render("~/bundles/jqueryval")
}

Does your table _userlogin_ contain just three columns? If you use an INSERT without specyfing the column names then you should pass values for all columns. — Steve, Oct 23 '15 at 17:28
Have you read https://msdn.microsoft.com/en-us/library/system.security.cryptography.sha1(v=vs.110).aspx about that SHA1 class? — JB King, Oct 23 '15 at 17:31
I want to note that SHA-1 is not a secure password hash. And neither are SHA-2 and SHA-3. See [How to securely hash passwords?](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords). — CodesInChaos, Oct 23 '15 at 18:21
Also, why are you inserting into your database on your Index() GET? — L_7337, Oct 23 '15 at 18:26
I see that my data is stored .But There is a problem with the index Method — sujay raj, Oct 23 '15 at 18:28
I am assuming that you have a value for EncodedPassword and it is your actual db save method that throws the error. Is the value of your encoded password a base64 string or is it some other type. if it is in a binary format it might be getting kicked back by the server. — Stix, Oct 23 '15 at 18:31
Hey Stix,I can see that db is storing values.The password is not encoded — sujay raj, Oct 23 '15 at 18:42

Todd Sprang · Accepted Answer · 2015-10-23T18:23:11.127

0

You are missing single-quotes around your SQL string parameters, need a string formatter, and need to use ExecuteSqlCommand instead of SqlQuery. This should work.

db.UserLogins.ExecuteSqlCommand(
  string.Format("insert into Userlogin values('{0}','{1}','{2}')",
    userlogin.UserName, userlogin.Email, EncodedPassowrd));

edited Oct 23 '15 at 18:23

answered Oct 23 '15 at 18:15

Todd Sprang

2,899
2
23
40

Hey Todd,I have queried the Database and I see that my table is having the values which I've inserted.But There is a problem with Index method.The password is not being encoded.Am i doing wrong with the Create Method? public ActionResult Create(UserLogin userlogin) { if (ModelState.IsValid) { db.UserLogins.Add(userlogin); db.SaveChanges(); return RedirectToAction("Index"); } return View(userlogin); }.. Is this code which is included in Create action is a problem – sujay raj Oct 23 '15 at 18:31
You probably want to use SHA-256, as SHA-1 was beaten a while back. The answer here has implementation details: https://stackoverflow.com/questions/212510/what-is-the-easiest-way-to-encrypt-a-password-when-i-save-it-to-the-registry - just ignore the registry part. You want the 1-way hash result. – Todd Sprang Oct 23 '15 at 18:34
1

@ToddSprang SHA-2 is almost as bad as SHA-1 when used as a password hash. It's cheap to compute and has no salt. Use PBKDF2, bcrypt, scrypt or Argon instead. – CodesInChaos Oct 23 '15 at 20:31
Jeez, you're right, and I just wrote a PBKDF2 password hasher. Not sure what I was thinking. https://en.wikipedia.org/wiki/PBKDF2 – Todd Sprang Oct 24 '15 at 12:17

Insert into DB fails while encrypting the password in asp.net mvc

1 Answers1