1

To start off, I've assumed from this point and some previous questions, I've observed that the easiest way to actually "compare the hash values" with that submitted through the database, would be to just see if the query, the " 'SELECT', 'WHERE', 'FROM' (x=x2) ", statement was actually successfully executed (returning something greater than zero).

  private void button1_Click(object sender, EventArgs e)
    {
        string AppUsername = textBox2.Text.ToString();
        string AppPassword = textBox1.Text.ToString();

        byte[] salt;
        new RNGCryptoServiceProvider().GetBytes(salt = new byte[16]);
        var pbkdf2 = new Rfc2898DeriveBytes(AppPassword, salt, 10000);
        byte[] hash = pbkdf2.GetBytes(20);
        byte[] hashBytes = new byte[36];
        Array.Copy(salt, 0, hashBytes, 0, 16);
        Array.Copy(hash, 0, hashBytes, 16, 20);
        string savedPasswordHash = Convert.ToBase64String(hashBytes);                                                                   //              <--  see ' https://stackoverflow.com/questions/4181198/how-to-hash-a-password ' for the part on comparing the recalculated 

        SqlConnection con = new SqlConnection();
        con.ConnectionString = ("Data Source=DESKTOP-PGHMM6M;Initial Catalog=LocalUsers;Integrated Security=True");
        con.Open();                                          //dbo.data?
        var cmd = new SqlCommand(@"SELECT Username, Hash FROM data WHERE (Hash = @savedPasswordHash");
        cmd.Parameters.AddWithValue("@savedPasswordHash", savedPasswordHash);//^ this should work right?

        if (cmd.ExecuteNonQuery() > 0) {
            MessageBox.Show(" Query successful..something matched..  ");

        }
    }

I have confirmed that the local database is being populated with a hash value that should match that one that is being compared.

But I believe there is something wrong with the second chunk of code: 

 SqlConnection con = new SqlConnection();
    con.ConnectionString = ("Data Source=DESKTOP-PGHMM6M;Initial Catalog=LocalUsers;Integrated Security=True");
    con.Open();                                          //dbo.data?
    var cmd = new SqlCommand(@"SELECT Username, Hash FROM data WHERE (Hash = @savedPasswordHash");
    cmd.Parameters.AddWithValue("@savedPasswordHash", savedPasswordHash);//^ this should work right?

    if (cmd.ExecuteNonQuery() > 0) {
        MessageBox.Show(" Query successful..something matched..  ");

I wouldn't disagree with voters if this was categorised as a duplicate question; but from what I have ascertained from previous questions, none really help me solve my issue.

Update

I just realized that the actual error I am getting is pertaining to the actual connection:

ExecuteNonQuery: Connection property has not been initialized.

I use the same code, essentially as I do for inputting values. 

 SqlConnection con = new SqlConnection();
        con.ConnectionString = ("Data Source=DESKTOP-PGHMM6M;Initial Catalog=LocalUsers;Integrated Security=True");
        con.Open();

I still assume that the issue has to be somewhere with the actual query setup or the parameters but I'm not sure : /

Update 2

I figured out what was wrong with the initialization error. Like it said, I never really initialized the connection..

Adding the following code:

  cmd.Connection = con;

fixed that.

The code now follows as: 

 SqlConnection con = new SqlConnection();
        con.ConnectionString = ("Data Source=DESKTOP-PGHMM6M;Initial Catalog=LocalUsers;Integrated Security=True");
        con.Open();                                          //dbo.data?
        var cmd = new SqlCommand(@"SELECT Username, Hash FROM data WHERE (Hash = @savedPasswordHash");
        cmd.Connection = con;
        cmd.Parameters.AddWithValue("@savedPasswordHash", savedPasswordHash);//^ this should work right?

        if (cmd.ExecuteNonQuery() > 0) {
            MessageBox.Show(" Query successful..something matched..  ");
            //change page.. load a profile? 
        }

But is returning a different error, related to the actual syntax of my query, with which I originally, thought the error concerned.

It's saying the incorrect syntax is near '@savedPasswordHash'

Any SQL syntax advice is greatly welcome.

halfer
  • 19,824
  • 17
  • 99
  • 186
Jponder23
  • 27
  • 6
  • How would the application know the hashed value that’s being computed in the DB? Also are your hashes not salted? This would be a security hole. Also, you may find [this blog valuable.](https://blogs.msmvps.com/jcoehoorn/blog/2014/05/12/can-we-stop-using-addwithvalue-already/) – S3S Dec 11 '18 at 02:30
  • The hash value of the same value is already inside the DB and I "rehash" the user input (that should be the same password and return the same hash value) above and use that value to search out the row where the same hash value should already be present ( in the first code-indented section). sry this is totally new to me and pretty much copy and pasted tbh.. I thought this was all I needed, in terms of salt: ' Array.Copy(salt, 0, hashBytes, 0, 16); ' – Jponder23 Dec 11 '18 at 02:38
  • What I was inferring was that if your application knows the hash function and salt value it’s kind of game on for unauthorized access. You should send the attempt to the DB and let it compute the salt and hash and compare versus doing it twice and exposing the key. Just my two cents. – S3S Dec 11 '18 at 02:43
  • Oh I gotchya. Somebody was telling me that earlier today too.. I can functionally put that bit server side when I actually start hosting the database non-locally. But right now, for testing purposes, I just want it to successfully return a non-zero value to ExecuteNonQuery() – Jponder23 Dec 11 '18 at 02:47
  • And don't use [addwithvalue](https://blogs.msmvps.com/jcoehoorn/blog/2014/05/12/can-we-stop-using-addwithvalue-already/) – SMor Dec 11 '18 at 14:02
  • oh. Because it's not an insert statement? I don't need anything there at all? – Jponder23 Dec 12 '18 at 04:17

0 Answers0