static public bool AccessIsAllowed(string userName, string password) { string connectionString = ConfigurationManager.ConnectionStrings["gasTrackerConnectionString"].ConnectionString; using (SqlConnection connection = new SqlConnection()) { string strSQL = string.Format("Select * From Accounts where {0} = @{0}", AccountTable.UserName); using (SqlCommand selectUserCommand = new SqlCommand(strSQL, connection)) { SqlParameter parameter = new SqlParameter(); parameter.ParameterName = "@" + AccountTable.UserName; parameter.Value = userName; parameter.SqlDbType = SqlDbType.VarChar; parameter.Size = MAX_USERNAME_LENGHT; selectUserCommand.Parameters.Add(parameter); connection.ConnectionString = connectionString; connection.Open(); using (SqlDataReader myDataReader = selectUserCommand.ExecuteReader(CommandBehavior.CloseConnection)) { DataTable accountsTable = new DataTable(); accountsTable.Load(myDataReader); if (accountsTable.Rows.Count != 1 || accountsTable.HasErrors) { return(false); } DataRow accountRow = accountsTable.Rows[0]; byte[] salt = Convert.FromBase64String((string)accountRow[AccountTable.Salt]); byte[] encriptedSaltedPassword = Authentification.MakeEncriptedSaltedPassword(password, salt); string encriptedSaltedPasswordStringByUser = Convert.ToBase64String(encriptedSaltedPassword); string passwordDB = (string)accountRow[AccountTable.Password]; return(encriptedSaltedPasswordStringByUser == passwordDB); } } } }
static public void AddAccount(string userName, string password) { ValidateUserNamePassword(userName, password); string sqlInsert = string.Format("Insert Into dbo.Accounts " + "({0}, {1}, {2}, {3}, {4}, {5}) Values " + "(@{0}, @{1}, @{2}, @{3}, @{4}, @{5})", AccountTable.UserName, AccountTable.Password, AccountTable.Salt, AccountTable.Created, AccountTable.Updated, AccountTable.State); byte[] salt = new byte[SALT_LENGHT]; using (RNGCryptoServiceProvider saltGenerator = new RNGCryptoServiceProvider()) { saltGenerator.GetBytes(salt); } byte[] encriptedSaltedPassword = Authentification.MakeEncriptedSaltedPassword(password, salt); string encriptedSaltedPasswordString = Convert.ToBase64String(encriptedSaltedPassword); Debug.Print(string.Format("encriptedSaltedPasswordString.Length {0}", encriptedSaltedPasswordString.Length)); Validator.ThrowIfTrue <ArgumentOutOfRangeException>(encriptedSaltedPasswordString.Length > PASSWORD_FIELD_LENGHT, string.Format("The encriptedSaltedPasswordString is loo long: {0}", encriptedSaltedPasswordString.Length)); string encodedSaltBase64String = Convert.ToBase64String(salt); Debug.Print(string.Format("encodedSaltBase64String.Length {0}", encodedSaltBase64String.Length)); Validator.ThrowIfTrue <ArgumentOutOfRangeException>(encodedSaltBase64String.Length > SALT_FIELD_LENGHT, string.Format("The encodedSaltBase64String is loo long: {0}", encodedSaltBase64String.Length)); using (SqlConnection connection = new SqlConnection()) { using (SqlCommand command = new SqlCommand(sqlInsert, connection)) { SqlParameter parameter = new SqlParameter(); parameter.ParameterName = "@" + AccountTable.UserName; parameter.Value = userName; parameter.SqlDbType = SqlDbType.VarChar; parameter.Size = MAX_USERNAME_LENGHT; command.Parameters.Add(parameter); parameter = new SqlParameter(); parameter.ParameterName = "@" + AccountTable.Password; parameter.Value = encriptedSaltedPasswordString; parameter.SqlDbType = SqlDbType.VarChar; parameter.Size = PASSWORD_FIELD_LENGHT; command.Parameters.Add(parameter); parameter = new SqlParameter(); parameter.ParameterName = "@" + AccountTable.Salt; parameter.Value = encodedSaltBase64String; parameter.SqlDbType = SqlDbType.VarChar; parameter.Size = SALT_FIELD_LENGHT; command.Parameters.Add(parameter); parameter = new SqlParameter(); parameter.ParameterName = "@" + AccountTable.Created; parameter.Value = DateTime.Now.ToUniversalTime(); parameter.SqlDbType = SqlDbType.DateTime2; command.Parameters.Add(parameter); parameter = new SqlParameter(); parameter.ParameterName = "@" + AccountTable.Updated; parameter.Value = DateTime.Now.ToUniversalTime(); parameter.SqlDbType = SqlDbType.DateTime2; command.Parameters.Add(parameter); parameter = new SqlParameter(); parameter.ParameterName = "@" + AccountTable.State; parameter.Value = AccountState.Active; parameter.SqlDbType = SqlDbType.Int; command.Parameters.Add(parameter); connection.ConnectionString = ConfigurationManager.ConnectionStrings["gasTrackerConnectionString"].ConnectionString;; connection.Open(); command.ExecuteNonQuery(); } } }