Exemplo n.º 1
0
        /*********************************************************************
        * The following methods concern db queries related to admin objects. *
        *********************************************************************/

        /// <summary>
        /// This method stores a new admin user in db.
        /// </summary>
        /// <param name="model">Admin object.</param>
        public void createUser(Admin model)
        {
            string conn = dbConnect();
            SqlConnection dbConn = new SqlConnection(conn);

            // Encrypt password with hash and salt:
            PasswordEncryption passwordHasher = new PasswordEncryption();
            // If you change input value below, ensure it also reflects the supported length in the corresponding db table:
            byte[] salt = passwordHasher.generateSalt(64);
            HSPassword PasswordHash = passwordHasher.generateHashWithSalt(model.Password, salt, SHA256.Create());
            model.PasswordHash = PasswordHash.Digest;
            model.Salt = Convert.ToBase64String(salt);

            // Insert query to be executed to db:
            string sql = "INSERT INTO " + db_table_admin + " VALUES(@firstname, @lastname, @useremail, @passwordhash, @salt)";

            SqlCommand dbCommand = new SqlCommand(sql, dbConn);

            // Prevent conflicts with SqlParameters when null is set for optional fields:
            if (model.Lastname == null)
                model.Lastname = "";

            // Use SqlParameters to prevent SQL injections:
            dbCommand.Parameters.Add(new SqlParameter("@firstname", model.Firstname));
            dbCommand.Parameters.Add(new SqlParameter("@lastname", model.Lastname));
            dbCommand.Parameters.Add(new SqlParameter("@useremail", model.Email));
            dbCommand.Parameters.Add(new SqlParameter("@passwordhash", model.PasswordHash));
            dbCommand.Parameters.Add(new SqlParameter("@salt", model.Salt));

            dbConn.Open();
            dbCommand.ExecuteNonQuery();
            dbConn.Close();
        }
Exemplo n.º 2
0
        /// <summary>
        /// This method updates the admin credentials in db.
        /// </summary>
        public void editUser(Admin model)
        {
            string conn = dbConnect();
            SqlConnection dbConn = new SqlConnection(conn);

            // Generate a new password hash if the password is requested to be updated:
            if (!String.IsNullOrWhiteSpace(model.Password))
            {
                PasswordEncryption passwordHasher = new PasswordEncryption();
                // If you change input value below, ensure it also reflects the supported length in the corresponding db table:
                byte[] salt = passwordHasher.generateSalt(64);
                HSPassword PasswordHash = passwordHasher.generateHashWithSalt(model.Password, salt, SHA256.Create());
                model.PasswordHash = PasswordHash.Digest;
                model.Salt = Convert.ToBase64String(salt);
            }

            // Update query with check on password update, else current password is kept:
            string sql = "UPDATE " + db_table_admin +
            " SET Firstname = @firstname, Lastname = @lastname, Email = @useremail, " +
            "PasswordHash = CASE WHEN PasswordHash <> @passwordhash THEN @passwordhash ELSE PasswordHash END, " +
            "Salt = CASE WHEN Salt <> @salt THEN @salt ELSE Salt END " +
            "WHERE Email = @useremail;";

            SqlCommand dbCommand = new SqlCommand(sql, dbConn);

            // Prevent conflicts with SqlParameters when null is set for optional fields:
            if (model.Lastname == null)
                model.Lastname = "";

            // Use SqlParameters to prevent SQL injections:
            dbCommand.Parameters.Add(new SqlParameter("@firstname", model.Firstname));
            dbCommand.Parameters.Add(new SqlParameter("@lastname", model.Lastname));
            dbCommand.Parameters.Add(new SqlParameter("@useremail", model.Email));
            dbCommand.Parameters.Add(new SqlParameter("@passwordhash", model.PasswordHash));
            dbCommand.Parameters.Add(new SqlParameter("@salt", model.Salt));

            dbConn.Open();
            dbCommand.ExecuteNonQuery();
            dbConn.Close();
        }