/*********************************************************************
* The following methods concern db queries related to admin objects. *
*********************************************************************/
/// <summary>
/// This method stores a new admin user in db.
/// </summary>
/// <param name="model">Admin object.</param>
public void createUser(Admin model)
{
string conn = dbConnect();
SqlConnection dbConn = new SqlConnection(conn);
// Encrypt password with hash and salt:
PasswordEncryption passwordHasher = new PasswordEncryption();
// If you change input value below, ensure it also reflects the supported length in the corresponding db table:
byte[] salt = passwordHasher.generateSalt(64);
HSPassword PasswordHash = passwordHasher.generateHashWithSalt(model.Password, salt, SHA256.Create());
model.PasswordHash = PasswordHash.Digest;
model.Salt = Convert.ToBase64String(salt);
// Insert query to be executed to db:
string sql = "INSERT INTO " + db_table_admin + " VALUES(@firstname, @lastname, @useremail, @passwordhash, @salt)";
SqlCommand dbCommand = new SqlCommand(sql, dbConn);
// Prevent conflicts with SqlParameters when null is set for optional fields:
if (model.Lastname == null)
model.Lastname = "";
// Use SqlParameters to prevent SQL injections:
dbCommand.Parameters.Add(new SqlParameter("@firstname", model.Firstname));
dbCommand.Parameters.Add(new SqlParameter("@lastname", model.Lastname));
dbCommand.Parameters.Add(new SqlParameter("@useremail", model.Email));
dbCommand.Parameters.Add(new SqlParameter("@passwordhash", model.PasswordHash));
dbCommand.Parameters.Add(new SqlParameter("@salt", model.Salt));
dbConn.Open();
dbCommand.ExecuteNonQuery();
dbConn.Close();
}
/// <summary>
/// This method updates the admin credentials in db.
/// </summary>
public void editUser(Admin model)
{
string conn = dbConnect();
SqlConnection dbConn = new SqlConnection(conn);
// Generate a new password hash if the password is requested to be updated:
if (!String.IsNullOrWhiteSpace(model.Password))
{
PasswordEncryption passwordHasher = new PasswordEncryption();
// If you change input value below, ensure it also reflects the supported length in the corresponding db table:
byte[] salt = passwordHasher.generateSalt(64);
HSPassword PasswordHash = passwordHasher.generateHashWithSalt(model.Password, salt, SHA256.Create());
model.PasswordHash = PasswordHash.Digest;
model.Salt = Convert.ToBase64String(salt);
}
// Update query with check on password update, else current password is kept:
string sql = "UPDATE " + db_table_admin +
" SET Firstname = @firstname, Lastname = @lastname, Email = @useremail, " +
"PasswordHash = CASE WHEN PasswordHash <> @passwordhash THEN @passwordhash ELSE PasswordHash END, " +
"Salt = CASE WHEN Salt <> @salt THEN @salt ELSE Salt END " +
"WHERE Email = @useremail;";
SqlCommand dbCommand = new SqlCommand(sql, dbConn);
// Prevent conflicts with SqlParameters when null is set for optional fields:
if (model.Lastname == null)
model.Lastname = "";
// Use SqlParameters to prevent SQL injections:
dbCommand.Parameters.Add(new SqlParameter("@firstname", model.Firstname));
dbCommand.Parameters.Add(new SqlParameter("@lastname", model.Lastname));
dbCommand.Parameters.Add(new SqlParameter("@useremail", model.Email));
dbCommand.Parameters.Add(new SqlParameter("@passwordhash", model.PasswordHash));
dbCommand.Parameters.Add(new SqlParameter("@salt", model.Salt));
dbConn.Open();
dbCommand.ExecuteNonQuery();
dbConn.Close();
}
