3 replies to this topic

[dits05]

I'm actually doing a project on c# : developing a software linking all the departments in my university to make workflow easier. The departments include The Faculty, the Finance Section, The Purchasing Unit, The Store and so on.

Each department has 2 types of users: the Administrative staff Users and the Secretarial Staff Users. The Administrative users can assign work to the secretarial user.

The main menu for an Administrative user and Secretarial user are different. The main menus also differ from 1 department to another.

So first, i have to do a login form. and the code is:


private void BTLogin_Click(object sender, EventArgs e)
{
if (tryLogin(TXUsername.Text, TXPassword.Text) == true)
{
MessageBox.Show("Successful Login!");

FMMainMenu f1 = new FMMainMenu();
f1.Show();

this.Hide();

}
else
{
MessageBox.Show("Authentication Failure!");
}
}

public bool tryLogin(string username, string password)
{
MySqlConnection con = new MySqlConnection(myConString);
MySqlCommand command = new MySqlCommand("SELECT * FROM login WHERE username='" + TXUsername.Text +"' AND password ='" + TXPassword.Text + "';");
command.Connection = con;
con.Open();

MySqlDataReader reader = command.ExecuteReader();
if (reader.Read() != false)
{
if (reader.IsDBNull(0) == true)
{
command.Connection.Close();
reader.Close();
command.Dispose();
return false;
}

else
{
command.Connection.Close();
reader.Close();
command.Dispose();
return true;
}
}

else
{
return false;
}
}
}


The problem with this code is that the system has not checked whether the user is an administrative user or a secretarial user and from which department he is. And I am having trouble with this.

Does anyone know which lines of codes i have to include to do this?

I have a table 'Employee' in my database.

employee[employeeID, fname, lname,dob, type]
field 'type' in employee is either administrative or secretarial

[sam_coder]

Well, first of all, i'd recommend you read my "storing secrets" tutorial in the CSharp section http://forum.codecal...-passwords.html =)

In order to determine the type of user, maybe you should return it as part of the login.

Can I assume you have an employeeID column in your login table?

SELECT L.*, E.type FROM login L INNER JOIN employee E ON ( L.employeeID = E.employeeID ) WHERE L.username = '<username>' AND L.password='<password>'

You could also just do a second query, just query the employee table.

But seriously, check out my article on storing passwords, and stop storing these as plain text. I've provided a utility to make this really easy for you.

All you need to do is replace the password field with two binary fields. =)

Let me know if that helps, or if you need something more specific.

Edited by sam_coder, 12 December 2010 - 07:33 AM.
adding a link to the article I was referring too

[sam_coder]

I just wanted to make one more suggestion. I'm not sure exactly how this application is being used, or how it is exposed, but there is a glaring and significant security risk with how you are creating your query.

and by that I mean that you are providing direct (unsanitized) user input, which can make the function more error prone, especially if the user enters something invalid, or intentionally enters something malicious.

A simple way to remove a lot of these problems are by validating the user input before inserting user values into the query, and even better than that, would be to use the ADO.NET parameter System.

MySqlCommand command = new MySqlCommand( "SELECT L.*, E.type FROM login L INNER JOIN employee E ON ( L.employeeID = E.employeeID ) WHERE L.username = @username AND L.password=@password");

command.Parameters.AddWithValue("@username", TXUsername.Text);

command.Parameters.AddWithValue("@password", TXPassword.Text);

I mean more ideally, you would have validate methods too..
in addition to the security implications, this actually makes the code easier to read too..

Edited by sam_coder, 13 December 2010 - 11:27 AM.
you're -- your, same thing right?? =)

[dits05]

Thank you for your help Sir :)