0

I've created custom authentication method which basically takes two inputs from user, check if there is a record in database for such a combination and if so then user is authenticated correctly. It is simple and works fine the only problem is if my password is "hash1" then "HASH1", "haSH1 "hAsh1 " etc. are also valid.

My system just ignores trailing spaces and it is not case sensitive. I don't change password string by myself but when I add it as a query parameter

command.Parameters.Add("@pass", SqlDbType.VarChar, -1).Value = password;

the debuuger shows me there are some default options which probably cause this behavior.

enter image description here

Is there a way how to turn off or change these options for specific parameter?

//Possible duplicate is only a part of the solution. I would like to know how to change those CompareOptions.

Bendom
  • 175
  • 1
  • 14
  • Possible duplicate of [SQL Case Sensitive String Compare](https://stackoverflow.com/questions/3969059/sql-case-sensitive-string-compare) – hardkoded May 27 '17 at 14:08
  • 1
    Aside: You should be storing the hashed password, not plaintext, in the database. – HABO May 27 '17 at 14:18
  • @kblok Thank you. Adding COLLATE Latin1_General_CS_AS at the end of the query solved case sensitivity but not trailing spaces. I guess this one will be solved one I'll start using hashes of user inputs. Still is there a way how to solve this but turning off those compare options? – Bendom May 27 '17 at 14:29
  • @Bendom or you can just do `password.Trim()` before sending that to the database – hardkoded May 27 '17 at 14:31
  • @kblok I was thinking about that but I don't want to "touch" password string. Either user knows it or not. But it is definitely a solution. Thank you. – Bendom May 27 '17 at 14:42

0 Answers0