Problems with Encrypted password

[rfazendeiro]

hi to all,

Im currently workin in a aplication that is requires user autentication. Im using vs 2003 and access.

Now when i run my app the login form shows up for the user to input its username and password. If its the first time that the user is loging in (the password is blank) a form shows up to allow the user to change his password.

When the user submits its new password, the password is encripted and a query is submited, like the example below

UPDATE Utilizadores SET User_password=.w\"2HXՏ,1\0#~@MV_KTF*uXlhN[*\tЭ#\aE, User_reset=0 where User_id=1

to execute the query i use the following code

[csharp]
public static int ExecuteNonQuery(string query)
{
OdbcConnection cs;
OdbcCommand cmd;

try
{
cs = OdbcConnection connection = new OdbcConnection("APP");
cmd = new OdbcCommand(query, cs);
cs.Open();
cmd.ExecuteNonQuery();
cs.Close();

return 0;
}
catch(OdbcException ex)
{
MessageBox.Show("M

 

[kejpa]

Somehow it seems like the ODBC-driver thinks the string ends at \0. Could it be that it treats those two characters as end of string delimiters?
If I were you Id use a parameterized query instead of what seems like a concatenated statement.
There are lots of threads here about parameterized queries

HTH
/Kejpa

 

[TheWizardofInt]

I have had the same thing happen to me

What I do now is scrub my encryptions and force normal letters and numbers onto them

It might seem less secure and, in fact, it is, but there can come a day when you want to write your program into a Web app, and a minor inconvenience becomes a major heartache

 

[PlausiblyDamp]

Or use parameterised queries like kejpa suggested as this will not be any less secure, is more maintainable and isnt open to exploits such as SQL injections.

 

[rfazendeiro]

Thx for the replies!

parameterised queries did the trick for me! thx for the help. If anybody want to know how to create a store procedure im access and them use it in .NEt here is a link

Store procedures in Access