0

I have an application in C# and a database in SQLite. In database, I have a table with a few columns. In one of a columns, I have a value which is encrypted with SHA1 from query. But I need to use it in my C# app like this:

cmd.CommandText = "Select * from accounts where (username=@username and password=sha1(@password));";

I need to select the string value, for logging to app. I receive error: no such function sha1.

From other posts like: This one , I understand that I have to create another function for hashing with sha1? But I don't really understand how to do this..Can anybody help me? Sorry if it's duplicate but I didn't find the specified answer.

Community
  • 1
  • 1
dpaul1994
  • 332
  • 3
  • 16
  • Use `Select * from accounts where (username=@username and password=@password);` and bind the hashed value for `@password` – dvhh Mar 22 '15 at 14:33
  • 2
    And in most case using a hash function such as `SHA1`, is considered insecure for storing password, learn about [key derivation function](http://en.wikipedia.org/wiki/Key_derivation_function), which are considered more secured for password storage. – dvhh Mar 22 '15 at 14:37
  • You mean like this: `cmd.Parameters.AddWithValue("sha1(@password)", password);` or `cmd.Parameters.AddWithValue(sha1("@password"), password);` ?? – dpaul1994 Mar 22 '15 at 14:37
  • Thank you dvhh for your suggestion! – dpaul1994 Mar 22 '15 at 14:38
  • Can you also give me a quick example of how to use that key derivation? – dpaul1994 Mar 22 '15 at 14:39
  • 2
    use `Select * from accounts where (username=@username and password=@password);` as a query without `sha1` in the query and `cmd.Parameters.AddWithValue(@password",sha1(password)");`, meaning that you would have to apply sha1 in the c# code, rather than in SQL. – dvhh Mar 22 '15 at 14:39
  • Syntax for cmd is not correct. `cmd.Parameters.AddWithValue("@password", sha1(password));` Error: `sha1 doesn't exist in current context` – dpaul1994 Mar 22 '15 at 14:44
  • password is actually textBox1.Text – dpaul1994 Mar 22 '15 at 14:44
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/73529/discussion-between-dvhh-and-user272976). – dvhh Mar 22 '15 at 16:59

1 Answers1

1

As SQLite does not implement any sha1 function by default, you would have to move the password hashing from the SQL query to your code.

Meaning your query should be :

cmd.CommandText = "Select * from accounts where (username=@username and password=@password);";

and you should pass the password like this :

cmd.Parameters.AddWithValue("@password", sha1(password));

And you should implement your own sha1 function 

using System.Security.Cryptography;

...

string sha1(string input) {
    byte[] byteArray = Encoding.UTF8.GetBytes(input);
    string result="";
    using (HashAlgorithm hash = SHA1.Create()) {
        result=Convert.ToBase64String(hash.ComputeHash(byteArray));
    }
    return result;
}

Important

Using hashing function is considered quite insecure for storing password, you should consider learning about Key Derivation function, reading the wikipedia pages will lead you to C# implementation of such functions.

dvhh
  • 4,724
  • 27
  • 33
  • One problem, I tried just for my curiosity to use sha1 with that `stirng sha1(string input) {}` but I receive error: `sha1(string) is a method, which is not valid in the given context`. Why? – dpaul1994 Mar 22 '15 at 16:12
  • Sorry for the name conlict, I have amended my answer – dvhh Mar 22 '15 at 16:27
  • Yes, code is ok, but it doesn't recognized my value from table. I think here is the problem: `cmd.Parameters.AddWithValue("@password", sha1(password));` I receive: `Incorrect username or password` – dpaul1994 Mar 22 '15 at 16:58