Search code examples
c#mysqlwinformsdatareader

C# Mysql datareader - how to get other column using datareader

I'm trying to validate the password from my database that has been hash and salted. I Created an column in my user table username, hash and salt. Now I want to know if I can access the other column value using a datareader.

I tried this method but I got a red line. This is my failed attempt

public static bool VerifyPassword(string enteredPassword, string storedHash, string storedSalt)
{
    var saltBytes = Convert.FromBase64String(storedSalt);
    var rfc2898DeriveBytes = new Rfc2898DeriveBytes(enteredPassword, saltBytes, 10000);
    return Convert.ToBase64String(rfc2898DeriveBytes.GetBytes(256)) == storedHash;
}

private void bunifuFlatButton1_Click(object sender, EventArgs e)
{
    string userhash;
    string usersalt;

    MySqlConnection mysqlCon = new MySqlConnection(connectionString);
    MySqlCommand cmd = new MySqlCommand("SELECT * FROM login.info WHERE username = @user", mysqlCon);
    MySqlDataReader rd;
    rd = cmd.ExecuteReader();
    cmd.Parameters.Add("@user", MySqlDbType.VarChar).Value = username.Text;
    mysqlCon.Open();

    while (rd.Read())
    {
        userhash = rd.GetString("hash");
        usersalt = rd.GetString("salt");

        bool isPasswordMatched = VerifyPassword(textpass.Text, userhash.Hash, usersalt.Salt);
// i got redline error in here. i only follow instruction.. link below
        if (isPasswordMatched)
        {
            //Login Successfull
        }
        else
        {
            //Login Failed
        }
    }
}

By the way, I only follow this instruction from this thread. How to validate salted and hashed password in c#

Solution

  • Here is another way of writing your code, not really an answer, but...not perfect mind, but at least it will dispose of the objects and also call them in the correct order. Please read upon on IDisposable and Sql Injection.

    private void bunifuFlatButton1_Click(object sender, EventArgs e)
{
    using (MySqlConnection mysqlCon = new MySqlConnection(connectionString))
    {
                               // Use a named list of fields please. And cleanse the text.
        using (MySqlCommand cmd = new MySqlCommand("SELECT * FROM login.info WHERE username = @user", mysqlCon))
        {
            cmd.Parameters.Add("@user", MySqlDbType.VarChar).Value = username.Text; // Let's hope user name is not Jimmy DropTables!!
            mysqlCon.Open();

            using (MySqlDataReader rd = cmd.ExecuteReader())
            {
                while (rd.Read())
                {
                    string userhash = rd.GetString("hash");
                    string usersalt = rd.GetString("salt");

                    bool isPasswordMatched = VerifyPassword(textpass.Text, userhash, usersalt);
                    // Note that we are passing in strings, not props of an unknown object
                    if (isPasswordMatched)
                    {
                        //Login Successfull
                    }
                    else
                    {
                        //Login Failed
                    }
                }
            }

            mysqlCon.Close();
        }
    }
}