0

I have the following code so far for a login form taking data from a database:

Dim myconnection As New SqlConnection("server=classified;database=classified")
myconnection.Open()
Dim theQuery As String = " SELECT  Username, Password FROM   Accounts WHERE   (Username = '" & TextBox1.Text & "' ) AND (Password = '" & TextBox2.Text & "')"
Dim repeatChecker As SqlCommand = New SqlCommand(theQuery, myconnection)
'mycommand.ExecuteNonQuery()

Using reader As SqlDataReader = repeatChecker.ExecuteReader()
    If reader.HasRows Then
        ' User already exists
        While reader.Read()
            If reader("Password") = TextBox2.Text.ToString And reader("Username").ToString = TextBox1.Text Then
                MessageBox.Show("Logged in successfully as " & TextBox1.Text, "", MessageBoxButtons.OK, MessageBoxIcon.Information)
                Firs.Show()
                Me.Close()
                'Clear all fields
            End If
        End While
    Else
        MessageBox.Show("Invalid username or password.", MsgBoxStyle.Critical)
    End If
End Using
myconnection.Close()

If I put in the correct login info but with wrong capitalization, I don't get an acceptance or a rejection, the program just sits there and does nothing. How can I get a denial of a login when the capitalization is wrong?

M463
  • 2,003
  • 3
  • 23
  • 39
0s98adgh
  • 5
  • 1
  • 8
    Your are vulnerable to [SQL injection attacks](http://stackoverflow.com/questions/542510/how-do-i-create-a-parameterized-sql-query-why-should-i) and you should not store passwords like that. – Ňɏssa Pøngjǣrdenlarp Jun 15 '15 at 16:18
  • 3
    Wow your code is a textbook example of sql injection. Also, you should NEVER store password in clear text. They should be hashed and salted. – Sean Lange Jun 15 '15 at 16:20
  • 1
    In most security situations, you don't reveal to an unauthenticated user that "well, that login is wrong, but maybe it's right if you change the capitalization." That tells intruders waaaay too much. You might advise a user if you can detect, for example, that their "Caps Lock" button is engaged, but beyond that, a wrong UsErName is a wrong uSerNaMe. – David W Jun 15 '15 at 16:22
  • 1
    See [OleDbException -- Syntax error in UPDATE statement](http://stackoverflow.com/a/29187199/1070452) for an example for using Parameters and other tidbits – Ňɏssa Pøngjǣrdenlarp Jun 15 '15 at 16:35
  • Plutonix, what would be an example of a login someone could use to screw up the login? If you can provide me an example, my jaw will drop. – 0s98adgh Jun 15 '15 at 16:39
  • Think about a value for TextBox1.Text with something along the lines of "'); delete * from accounts;" That's just one example. Any code injected will run with the whatever privilege held by the connection specified back to the database. – David W Jun 15 '15 at 16:54
  • 2
    Classic [Little Bobby Tables](http://imgs.xkcd.com/comics/exploits_of_a_mom.png) example. – Ňɏssa Pøngjǣrdenlarp Jun 15 '15 at 17:41

2 Answers2

0

As written, you really can't discern just a case-mismatch from a query as you've illustrated in this code. If a database is set up for case-sensitivity, a query will fail if two strings don't match even for the difference of a single mismatched character, but it doesn't retain that as a reason for the mismatch anymore than it would for, say "Apple" not matching "Banana."

David W
  • 10,062
  • 34
  • 60
0

Please note that, as the commentators of your question stated:

  1. You're vulnerable to SQL-Injection attacks.
  2. You should never store passwords in clear text in your DataBase. Once the DB gets cracked, all credentials are compromised. Not to mention evil DB-admins that might get tempted to misuse those credentials...
  3. Case-Sensitivity in a password is a good thing.

With those things mentioned, if you want to provide your users with the comfort of a not case-sensitive username, just cast the TextBox1.Text as well as the query result for the Username to upper case by changing (Username = '" & TextBox1.Text & "' ) to (UPPER(Username) = '" & TextBox1.Text.ToUpper() & "')

M463
  • 2,003
  • 3
  • 23
  • 39