C# Duplicate '\' with SQL Server 2008

Question

I have a problem when I run a SQL command and the result is a hashed password sha 256

Password in database: "Z?VU??u2???f?[??\n?Mn??=1???<3?\v?"

Password returned by c# after the query: "Z?VU??u2???f?[??\ \n?Mn??=1???<3?\ \v?"(I put a space because it is deleted by the page)

This is my code:

byte[] data = System.Text.Encoding.ASCII.GetBytes(txtPassword.Text);
data = new System.Security.Cryptography.SHA256Managed().ComputeHash(data);

String hash = System.Text.Encoding.ASCII.GetString(data);

SqlDataAdapter da = new SqlDataAdapter();

string Command = "Select * From Users where Status=1 and Username='" + txtUser.Text + "'" + " and Password='" + hash + "'";
da.SelectCommand = new SqlCommand(Command, Database.Connection);

da.Fill(dsResult);

if (dsResult.Tables[0].Rows.Count != 0)
{
    DoSomething();
}

I saw the error when I try this

Select Password 
From Users 
Where Status = 1 
  And Username = '" + txtUser.Text + "'"

and the result was the password but with duplicate \.

In SQL Server Management Studio, this query:

Select * 
From Users 
Where Status = 1 
  And Username = 'Rick' 
  And Password = 'Z?VU??u2???f?[??\n?Mn??=1???<3?\v?'

works perfectly.

Thank you.

Edit: Injection Changes.

New Code:

                SqlDataReader da;
                string Command= @"Select * From Users where Status=1 and Username=@User and Password=@Password";
                SqlCommand cmd = new SqlCommand(Command, Database.Connection);
                cmd.Parameters.Add("@Password", SqlDbType.NVarChar).Value = "Z?VU??u2???f?[??\n?Mn??=1???<3?\v?";
                cmd.Parameters.Add("@User", SqlDbType.NVarChar).Value = txtUsuario.Text.Replace(" ", "");
                da = cmd.ExecuteReader();
                if (da.HasRows)
                {
                    da.Read();
                    DoSomething();
                }

But the problem persists. When C # executes the query interprets that the password in the database has the double slash then it never matches with the input password

Did you try setting parameter for command instead of passing direct value? — Yashar Aliabbasi, May 09 '17 at 03:38
[SQL Injection alert](http://msdn.microsoft.com/en-us/library/ms161953%28v=sql.105%29.aspx) - you should **not** concatenate together your SQL statements - use **parametrized queries** instead to avoid SQL injection - check out [Little Bobby Tables](https://xkcd.com/327/) — marc_s, May 09 '17 at 04:51
Duplicating the backslashes is **standard C#** behavior - that's not unusual or cause for concern. The backslash is duplicated to indicate that you really want a backslash - otherwise, it'll be interpreted as an **escape sequence** (together with the next char, e.g. `\t` is ``, `\r` is carriage return etc.) — marc_s, May 09 '17 at 05:52

score 1 · Answer 1 · edited May 23 '17 at 12:02

1

By using SqlParameter you can send variable without loosing data and avoid SQL Injection like this:

string insertString = @"Select * From Users where Status=1 and Username='Rick' and Password=@pass";
SqlCeCommand cmd = new SqlCeCommand(insertString, c);
cmd.Parameters.Add("@pass", SqlDbType.NVarchar).Value = "Z?VU??u2???f?[??\n?Mn??=1???<3?\v?";
//And the rest

edited May 23 '17 at 12:02

Community

1
1

answered May 09 '17 at 03:44

Yashar Aliabbasi

2,663
1
23
35

Thanks for letting me know about the injection. I do some changes but the problem persists. When C # executes the query interprets that the password in the database has the double slash then it never matches with the input password – NachoRuba May 09 '17 at 14:15

C# Duplicate '\' with SQL Server 2008

1 Answers1