-1

I have used this code to make my login form, but my username and password is now not case sensitive.

private void btnLogin_Click(object sender, EventArgs e)
{
    string sqlquery = "SELECT * FROM users WHERE username = '"+txtUsername.Text.Trim()+"' AND password = '"+txtPassword.Text.Trim()+"' ";
    SqlDataAdapter da = new SqlDataAdapter(sqlquery,con);
    DataTable dt = new DataTable();
    da.Fill(dt);
    if (dt.Rows.Count > 0)
    {
        MessageBox.Show("Hi " + txtUsername.Text + ", Welcome to the program!");
    }
    else
    {
        MessageBox.Show("Incorrect Username or Password");
    }
Servy
  • 202,030
  • 26
  • 332
  • 449
Umar Uzman
  • 71
  • 1
  • 1
  • 6
  • 6
    You should not be storing passwords in plain text in your database. You should be storing a hash. When you do that, case sensitivity won't be an issue. – Servy Jun 06 '18 at 18:05
  • Thank you... But could you please make it more clear, because i did not get it.. as i am a beginner... – Umar Uzman Jun 06 '18 at 18:09
  • There are tools that help you to manage authentication and authorization for users such as [Identity Framework](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity?view=aspnetcore-2.1&tabs=visual-studio%2Caspnetcore2x) – rvazquezglez Jun 06 '18 at 18:10
  • There are plenty of great tutorials and other resources on how to build an authentication system, you merely need to do your research on how to do this properly. It's well beyond what can be posted in a comment, or even an answer. – Servy Jun 06 '18 at 18:10
  • Thanks Servy... I will have to look more onto this then.... – Umar Uzman Jun 06 '18 at 18:15

2 Answers2

3

There are many many things wrong with this. The two big ones though are the following:

1: DO NOT and I mean DO NOT store plaintext passwords in your database. Ever. Make it a secure hash using an existing well tested implementation.

2: Your sql queries are incredibly vulnerable to SQL injection. For example when I login as "'; DROP ALL TABLES; --" it will delete everything in your database. NEVER put raw user input into your sql queries.. Ever.

In short: DO NOT ROLL YOUR OWN AUTHENTICATION. Use one of the numerous tried and true authentication libraries out there or you will end up hurting yourself/your company/others.

Dan
  • 858
  • 7
  • 18
-1

There are many issues I will not address in this answer (plain text password, inline sql without parameters, etc). But will say: I hope this was done only as an example.

That said, SQL Server does not perform case-sensitive searches by default. For that you need to use collation. A great answer to this is given here already: How to do a case sensitive search in WHERE clause (I'm using SQL Server)?

TomS
  • 82
  • 5
  • 3
    For the sake of the unfortunate users of whatever software this poster is making, I wouldn't give him the answer to this as it might encourage him to continue with his grievously insecure method. – Dan Jun 06 '18 at 18:09
  • Tnx buddy, i can temporarily use this method since i need this immediately... and look further more about this and improve on this... so however tnx as this will be useful for me now. – Umar Uzman Jun 06 '18 at 18:19
  • +1 There is not always time or money to update everything that is "not done right" and sometimes the best solution is somewhere in the middle of "good enough" and "done right" – Bolo Jun 06 '18 at 18:50
  • For security vulnerabilities that can cause catastrophic data loss(I can delete entire databases) or massive data leaks(leak all customer passwords) there is no way except the correct way. If you are doing it wrong it WILL come to bite you. and it WILL cost more money to mitigate the lawsuits than it does to do it right the first time. Time/money constraints are no excuse for gross negligence. If you can't afford to employ BASIC security on your authentication, you shouldn't be in business. – Dan Jun 06 '18 at 21:29