0

I'm trying to hash the password the user enters into my DB as MD5, and I'm having trouble with it. I know MD5 is not as secure as it was before, and now not with salting, this is just for testing purposes and in no way am I actually deploying this for people to use. It's just for fun! The username gets entered into the database but the password doesn't. Here is my code:

Imports MySql.Data.MySqlClient
Imports System.Security.Cryptography
Imports System.Text


Public Class frmSignup
Dim ServerString As String = "Server=localhost;User        Id=root;Password=;Database=accountinfo"
Dim SQLConnection As MySqlConnection = New MySqlConnection

Private Sub Form3_Load(sender As Object, e As EventArgs) Handles MyBase.Load
    SQLConnection.ConnectionString = ServerString

    Try
        If SQLConnection.State = ConnectionState.Closed Then
            SQLConnection.Open()
            MsgBox("Successfully connected to DB")

        Else
            SQLConnection.Close()
            MsgBox("Failed to connect to DB")
        End If
    Catch ex As Exception
        MsgBox(ex.ToString)

    End Try
End Sub

Public Sub SaveAccountInformation(ByRef SQLStatement As String)
    Dim cmd As MySqlCommand = New MySqlCommand

    With cmd
        .CommandText = SQLStatement
        .CommandType = CommandType.Text
        .Connection = SQLConnection
        .ExecuteNonQuery()
    End With
    SQLConnection.Close()
    SQLConnection.Dispose()
End Sub

Private Sub btnSignup_Click(sender As Object, e As EventArgs) Handles btnSignup.Click
    If txtPasswd.Text = txtPasswd2.Text Then
        MessageBox.Show("Passwords Match!")

        Dim HashedPass As String = ""

        'Converts the Password into bytes, computes the hash of those bytes, and then converts them into a Base64 string

        Using MD5hash As MD5 = MD5.Create()

            System.Convert.ToBase64String(MD5hash.ComputeHash(System.Text.Encoding.ASCII.GetBytes(txtPasswd.Text)))

        End Using


        Dim SQLStatement As String = "INSERT INTO accountinfodb(`Usernames`, `Passwords`) VALUES ('" & txtUsername.Text & "','" & HashedPass & "')"
        SaveAccountInformation(SQLStatement)



        MessageBox.Show("Account Successfully Registered")
        frmLogin.Show()
        frmLoginScreen.Hide()
    Else
        MessageBox.Show("Passwords Do Not Match!")
        txtPasswd.Text = Focus()
        txtPasswd.Clear()
        txtPasswd2.Text = Focus()
        txtPasswd2.Clear()

    End If
End Sub
End Class

I think I possibly added the wrong value in my SQL Query, but if I add txtPasswd, I'm not sure where I'd put the HashedPass variable into my code?

Jcrow
  • 53
  • 2
  • 9
  • 1
    Hashing is not encryption - it cant be undone. You should **not** put the root/admin password in the app; create a new account with the permissions needed. [Complete set of methods for SHA password hashing](http://stackoverflow.com/a/31150288/1070452) or for the old MD5 see [Hash with MD5 in VB.NET](http://stackoverflow.com/a/23517226/1070452) When salting PWsyou do need to save the hash and the salt so you can compare! – Ňɏssa Pøngjǣrdenlarp Jan 19 '16 at 00:15
  • Possible duplicate of [VB.NET login with a MySQL database](http://stackoverflow.com/questions/22938704/vb-net-login-with-a-mysql-database) – RiggsFolly Jan 19 '16 at 01:11

2 Answers2

0

The answer to your question is found with basically the same code here:

VB.NET login with a MySQL database

Direct link to answer:

https://stackoverflow.com/a/22939770/1475285

Community
  • 1
  • 1
Bread102
  • 23
  • 3
  • That's the resource I used yep, but the SQL query of his is different, I tried playing around with it, but it just messes everything else up. Is there a way to do it with the SQL query I have, instead? – Jcrow Jan 19 '16 at 00:14
  • Basically your HashedPass variable has no value, you want to store the result of this function System.Convert.ToBase64String(MD5hash.ComputeHash(System.Text.Encoding.ASCII.GetBytes(txtPasswd.Text))) In HashedPass – Bread102 Jan 19 '16 at 00:18
0

As mentioned by Bread102, you're not assigning the hash function result to your variable. The below should work in your case

Dim HashedPass As String = ""
Using MD5hash As MD5 = MD5.Create()
    HashedPass = System.Convert.ToBase64String(MD5hash.ComputeHashSystem.Text.Encoding.ASCII.GetBytes(txtUsername.Text)))
End Using


Dim SQLStatement As String = "INSERT INTO accountinfodb(`Usernames`, `Passwords`) VALUES ('" & txtUsername.Text & "','" & HashedPass & "')"
bmck8
  • 1
  • 1
  • Thanks, your code worked, however when I login, it's unsuccessful, probably because it's comparing the MD5 hash to the password in the Login Form, which obviously do not equal each other, how do I get past this? In fact after comparing my hashes to the other thread, they both look very different, is this because the hash is unsalted? – Jcrow Jan 19 '16 at 23:28
  • As far as my understanding goes you should be hashing the password entered into the login form and then comparing this hash to your stored hash to verify they are correct. – bmck8 Jan 27 '16 at 09:00