Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Bcrypt Password login fail not work MySql C#

See original GitHub issue

            try
            {
                Connection con = new Connection ();
                con.Open();
                string query = "SELECT `username`, `password` FROM `MyDatabase_Users` WHERE username='" + tBUsername.Text + "' AND password= '" +BCryptNet.Verify( textBoxPASSWORD.Text)+ "'";
                MySqlDataReader row;
                row = con.ExecuteReader(query);
                if (row.HasRows)
                {
                    
                    //logged in
                    MessageBox.Show("You have been logged in");

                }
                else
                {
                     //Failed logged in
                    MessageBox.Show("Incorrect password or user");

} } catch (Exception ex) { MessageBox.Show(“No network”); }

            con.Close();

Issue Analytics

State:
Created 7 months ago
Comments:7

Top GitHub Comments

2reactions

AbeidDEVcommented, Feb 17, 2023

Thank you, for support

On Fri, 17 Feb 2023, 13:34 Chris McKee, @.***> wrote:

I’m guessing you’re new to this and its related to the repo in your account. I’ll try to break the bits down.

Version control You should really just put the files in rather than a zip; gits great at letting you see the history of your changes but sadly in a zip which is basically an opaque binary to git it wont do a whole lot.

Winforms & SQL Firtly if you’re interested in desktop apps I’d look at the newer stuff https://learn.microsoft.com/en-us/dotnet/maui/what-is-maui?view=net-maui-7.0 I’ll openly admit to still cracking out winforms on occasion but it’s pretty much on the way out in the grand scheme of things.

If your aim is to store data locally for a user and the querying isn’t particularly complex you may wish to consider using something like SQLLite instead of a full blown SQL engine like MySql

https://www.codeguru.com/dotnet/using-sqlite-in-a-c-application/

https://learn.microsoft.com/en-us/xamarin/android/data-cloud/data-access/using-sqlite-orm

Of course if you’re talking to a remote sql server that’s a whole different thing.

Your repo

Assuming I’m right about the winforms app; I’ve pulled your zip; modified the code to use bcrypt so you have an example

C#_Login_Encrypt.zip https://github.com/BcryptNet/bcrypt.net/files/10765728/C._Login_Encrypt.zip

There’s a docker-compose file in there (docker-compose up -d) which will start mysql locally with the passwords configured etc. The sql class is setup to bootstrap the table.

… public MySqlDb() { SqlConnection = new MySqlConnection($“Server={Server};Database={Database};User ID={Uid};Password={Password}”); SqlConnection.Open();
        if (BootStrapSql) return;

        using var tblCheck = SqlConnection.CreateCommand();
        tblCheck.CommandText = @$"CALL sys.table_exists({Database}, users, @table_type); SELECT @table_type;";
        var reader = tblCheck.ExecuteReader();
        if (!reader.Read())
        {
            using var tblCommand = SqlConnection.CreateCommand();
            tblCommand.CommandText = @"CREATE TABLE IF NOT EXISTS users                                    (                                      Id int(10) NOT NULL,                                      userName varchar(20) NOT NULL,                                      Password varbinary(256) NOT NULL,                                      Registered varchar(20) DEFAULT NULL                                    );                                    ALTER TABLE users                                      ADD PRIMARY KEY (Id),                                      ADD UNIQUE KEY userName (userName);                                    ALTER TABLE users                                      MODIFY Id int(10) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=24;                                    COMMIT;                       ";
            tblCommand.ExecuteNonQuery();
        }
        BootStrapSql = true;
    }
It’s not how I’d do this in production but for the sake of example it does the job.

The user creation changes to

… try { using MySqlDb db = new MySqlDb();
            using var cmd = db.SqlConnection.CreateCommand();

            cmd.CommandText = "INSERT INTO users (Username, Password, Registered) values ***@***.***, @password, now())";
            ***@***.***", userName);
            ***@***.***", BCrypt.Net.BCrypt.HashPassword(password));
            cmd.ExecuteNonQuery();

            System.Windows.Forms.MessageBox.Show("Account created", "Information", System.Windows.Forms.MessageBoxButtons.OK, System.Windows.Forms.MessageBoxIcon.Information);

            return $"{userName}{password}";
        }
        catch (Exception ex)
        {
            System.Windows.Forms.MessageBox.Show(ex.Message, "Information", System.Windows.Forms.MessageBoxButtons.OK, System.Windows.Forms.MessageBoxIcon.Warning);
            return null;
        }
…

So we take the input password from the user and we hash it as its stored.

To validate it we’d call ValidateLogin

Which selects the first match on username

extracts the password hash from the results

Passes the hash to bcrypt with the user entered password.

BCrypt then uses the SALT portion of the hash to hash the user-entered password in exactly the same way as when it was generated

If the two strings match (if you look at the bcrypt code you’ll see we do this in a de-optimized fashion to try and ensure timing attacks dont work)

Return pass or fail depending on the verify response

… try { using MySqlDb db = new MySqlDb();
            using var cmd = db.SqlConnection.CreateCommand();
            cmd.CommandText = ("Select Top 1 Username, Password  from users where userName = @name;");
            ***@***.***", userName);

            var reader = cmd.ExecuteReader();

            if (!reader.Read())
            {
                System.Windows.Forms.MessageBox.Show("Error", "Information",
                    System.Windows.Forms.MessageBoxButtons.OK, System.Windows.Forms.MessageBoxIcon.Error);
            }
            else
            {
                while (reader.Read())
                {
                    var sqlPassword = reader.GetString(1);

                    if (BCrypt.Net.BCrypt.Verify(password, sqlPassword))
                    {

                        System.Windows.Forms.MessageBox.Show("Hi :D", "Information",
                            System.Windows.Forms.MessageBoxButtons.OK, System.Windows.Forms.MessageBoxIcon.Information);
                    }
                    else
                    {
                        System.Windows.Forms.MessageBox.Show("Error", "Information",
                            System.Windows.Forms.MessageBoxButtons.OK, System.Windows.Forms.MessageBoxIcon.Error);
                    }
                }
            }

            return $"{userName}{password}";
        }
        catch (Exception ex)
        {
            System.Windows.Forms.MessageBox.Show(ex.Message, "Information", System.Windows.Forms.MessageBoxButtons.OK, System.Windows.Forms.MessageBoxIcon.Warning);
            return null;
        }

    }
— Reply to this email directly, view it on GitHub https://github.com/BcryptNet/bcrypt.net/issues/130#issuecomment-1434446970, or unsubscribe https://github.com/notifications/unsubscribe-auth/A5NZW4QDHNBAGIRZS7FXWG3WX5H4BANCNFSM6AAAAAAU56J4XI . You are receiving this because you authored the thread.Message ID: @.***>

0reactions

AbeidDEVcommented, Feb 17, 2023

Great, thanks!

On Fri, 17 Feb 2023, 15:14 Chris McKee, @.***> wrote:

No problem

— Reply to this email directly, view it on GitHub https://github.com/BcryptNet/bcrypt.net/issues/130#issuecomment-1434557454, or unsubscribe https://github.com/notifications/unsubscribe-auth/A5NZW4WSAAWURLP5CDVJUHTWX5TRDANCNFSM6AAAAAAU56J4XI . You are receiving this because you authored the thread.Message ID: @.***>

Top Results From Across the Web

Why does Bcrypt keep failing with MySQL, and how do I ...

I am trying to take a password from React Native into Flask via URL and then insert it into MySQL. I then retrieve...

13.7.1.3 CREATE USER Statement

Require that a new password be chosen every 180 days, and enable failed-login tracking, such that three consecutive incorrect passwords cause temporary ...

PureFTPD 1.0.50 with MariaDB fails to auth, possible ...

When I try MYSQLCrypt cleartext , than it works fine, but I don't consider it as a best option to store passwords in...

12.13 Encryption and Compression Functions

The derived key is used to encrypt and decrypt the data, and it remains in the MySQL Server instance and is not accessible...

Authentication Plugin - ed25519 - MariaDB Knowledge Base

In MariaDB 10.3 and before, the PASSWORD() function and SET PASSWORD statement did not work with the ed25519 authentication plugin.