Hello, everyone. I am trying to create a procedure that checks a user's login, in the database. The login is based on e-mail address and password.
How do I construct the stored procedure to check if the username and password are correct?
Thanks,
Antonio
You could either use a stored procedure, or a function.
Code Snippet
CREATE PROCEDURE dbo.VerifyLogin
( @.eMail varchar(200),
@.Pwd varchar(20)
)
AS
SELECT isnull(( SELECT DISTINCT 'Verified'
FROM MyUsersTable
WHERE ( eMail = @.eMail
AND Pwd = @.Pwd
)
), 'BOGUS' )
GO
(or)
CREATE FUNCTION dbo.fnVerifyLogin
( @.eMail varchar(200),
@.Pwd varchar(20)
)
RETURNS varchar(10)
AS
FROM MyUsersTable
WHERE ( eMail = @.eMail
AND Pwd = @.Pwd
)
), 'BOGUS' )
GO
Just a couple of points to make about password storage in databases.
You should never store a password in a clear (unencrypted) form in a database. Preferably you should not even store it in a decryptable form, but rather a value managled by a one-way hash. SQL Server 2005 now has the HashBytes function which will perform a cryptographically valid hash operation.
It is also recommended that you not perform a straightforward hashing but rather salt the value before hashing with another value. This means adding another known piece of information to the value before hashing the combination. This has a 2-fold advantage:
It makes a brute force attack of the hash algorithm with all the possible values harder (basically impossible if the salt is different for each password). Be aware there are projects on the internet where people are building hash lists for all the characters strings up to a certain length composed of a standard set of characters (mainly alpha/digit - upper case only) for some standard hash algorithms. Good reason for using longer passwords (12+ characters) and at least one unusual character. If you use a different salt for each user (I normally use something based upon the primary ID in the User Table) then it prevents the insider attack of moving the password hash from a user whose password is known to another allowing access to the system as that user (restoring the old hash removes signs of the hack). If the salt is held as a field in the table they can move that too (though a unique constraint might make that more difficult).sql
No comments:
Post a Comment