PASSWORD PROGRAM II

[WalfdPD]

REF: thread796-1051230

I am trying to set up a simple password program to allow only certain users to gain access
To a particular form.

I have created a table (password) with two fields (user & pwd) and a dataset
(dsPassword) which the textboxes on the form are bound to.

My question is ;

declaration

Dim ? As ?

What gets declared, the table or the dataset? And what does it get
Declared as?

 

[ThatRickGuy]

I would suggest not using data binding for password verification. Well, I would suggest not using it at all, but I would definately not suggest using it here.

The best way to handle data is usually "as little as necesary". So you don't want the entire database of user names and passwords to be sitting on the users machine (In the enemy's hands).

It would be better to set up a select query that would return security information base on the username and encrypted password you send in as parameters. That way, if the username/password combo is wrong, no sercurity is returned. And at no time are you pulling user names and passwords down to the client.

-Rick

----------------------
If you're about to post an ASP.Net question,
please don't do it in the VB.Net forum

http://www.ringdev.com

I believe in killer coding ninja monkeys.

 

[Bruce1965]

OK, it may not be the best ever solution - but it worked for me.

Try this (or something similar)

Dim sqlcnnReadOnly As New SqlConnection
Dim sqlcmndReadOnly As New SqlCommand
Dim dr As SqlDataReader
Dim AccessFlag as Boolean

Try
sqlcnnReadOnly.ConnectionString = _
"data source = sctna1;" & _
"integrated security = true;" & _
"initial catalog = YOUR_DB"

sqlcnnReadOnly.Open()

sqlcmndReadOnly.Connection = sqlcnnReadOnly
sqlcmndReadOnly.CommandText = _
"select * from YOUR_TABLE"
sqlcmndReadOnly.CommandType = CommandType.Text

dr = sqlcmndReadOnly.ExecuteReader()
            
Do While dr.Read
If dr("UserField") = TextBox1.text and dr ("PasswordField") = TextBox2.text Then AccessFlag=True                    
End If
Loop

dr.Close()
sqlcnnReadOnly.Close()

If AccessFlag = False Then MessageBox.Show("You are not authorised to this software", "Unauthorised Access", MessageBoxButtons.OK, MessageBoxIcon.Warning)
Close()
End If
         
Catch ex As Exception
End Try

 

[WalfdPD]

I am using and oledbdataadapter do I change the SQL to OLE?

 

[sillysod]

I would do the verification of the password / user name in the SQL string. This way no records will be returned to the users machine if the enter an invalid passowrd / username and only the relevant one will be returned if it is correct

ie

SELECT * FROM tblPasswords WHERE UserName = 'whatever' AND Password = 'BlahBlah'

if dt.records.count = 0 then
'invalid password / username combo
else
'allow access
end if

 

[kodr]

Doesn't this set you up for a disaster? Do you want the client program to handle whether or not you gain access?

Wouldn't it be better for the server side to handle the access?

Seems a good port sniffer would let a potential 'bad guy' gain all the info he/she would need to acess your application.

What's to stop someone from running their own application to access your data directly without having to worry about logging in?

 

[tyreejp]

I would suggest storing the passwords in your "YOUR_TABLE" in a hashed form (not encrypted). When the user enters their username and password, create a hash of the password they entered and pass that in your query string "Select * from YOUR_TABLE where UName = " username " and Password = " passwordhash"

That way the passwords are truely secret and even the DB Admin can't get at them.