1

PRE I'm using SQLExpress to store information.

I have a very basic user set-up in my app. I have a Login table that contains only three fields, these are Username, Password and Security Level. There are only three security levels; High, Medium and Low.

On my login form, I have the following code to save the user that is logging into a Settings.Default[], so I can read it later.

private void Loginbtn_Click(object sender, EventArgs e)
{
    SqlConnection con = new SqlConnection(@"Data Source=.\SQLEXPRESS;Initial Catalog=MySupportHub;Integrated Security=True");
    SqlDataAdapter sda = new SqlDataAdapter(@"SELECT * FROM [dbo].[Login] Where Username='" + usernameTextBox.Text + "' and Password='" + passwordTextBox.Text + "'", con);
    DataTable dt = new DataTable();
    sda.Fill(dt);
    if (dt.Rows.Count == 1)
    {
        Settings.Default["CurrentUserName"] = usernameTextBox.Text;
        Settings.Default.Save();

        this.Hide();
        Home home = new Home();
        home.Show();
    }
    else
    {
        MessageBox.Show("Invalid Username and/or Password..!", "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
        Clearbtn_Click(sender, e);
    }
}

Then on the Home page, I have the following code to get the value and display the current logged in user in the bottom status bar. On page load.

//Identify and display current logged in user

CurrentUser.Caption = Settings.Default["CurrentUserName"].ToString();

What I would like to be able to do now is check the current logged in users security level (User value would be stored here "CurrentUser.Caption" on the main form) and be able to disable features like creating a new user etc.

So I would need to be able to read the CurrentUser.Caption value, check that against the (SQL Express) [dbo].[Login] table and find the user's security level and limit features based on the result.

Any help would be appreciated.

Thanks

Phil

UVM
  • 9,776
  • 6
  • 41
  • 66
Phillip Gowens
  • 11
  • 3
  • You know how to retrieve value from datatable `dt`? If yes then you should retrieve the value of `SecurityLevel` from the table and store it in the Default settings and use it wherever you want. – Chetan Jul 09 '17 at 10:20
  • I'm afraid I'm still learning. I was going to try and pull the security value at login instead of the main form and display it on the status bar next to the username and then condition it on that. But I think I keep over thinking the code needed to retrieve that information from the database for that specific user. Can I alter the Login button code to pull this value? and set it as a default setting? – Phillip Gowens Jul 09 '17 at 10:30
  • Yes... You can do that. – Chetan Jul 09 '17 at 10:32
  • It looks like you may be saving the user's password, that is not secure or acceptable, instead a password verifier should be stored. – zaph Jul 09 '17 at 14:11
  • For now I have changed the above code to: 'SqlDataAdapter sda = new SqlDataAdapter(@"SELECT * FROM [dbo].[Login] Where Username='" + usernameTextBox.Text + "' and Password='" + passwordTextBox.Text + "' and Security_Level='" + securityComboBox.Text + "'", con);' And added a security combobox, where this codition also has to be met. I can save this value and apply conditions successfully. Thanks for your help – Phillip Gowens Jul 10 '17 at 10:57

2 Answers2

1

You are essentially implementing user authentication and authorization in WebForms.

What would happen in your scenario if a user types the following string for a username and password (without the quotes): "foo OR 1=1" ? You must never concatenate strings in database CRUID opearations to prevent SQL injections.

I could advise you to use FormsAuthentication and encrypted tickets containing user roles and not store passwords in plain text or even encrypted, but rather store hashes using PBKDF2 and cryptographic salts. But you might not be concerned about a production environment and this might be just a learning example. In this case you still don't want to practice what you will never use in a real world application, namely taking the value of a user control to match against permissions stored in a table. One can change the value at the client (browser)and trick the system.

Getting to grips with FormsAuthentication and using the User.Identity.IsInRole would be one way to proceed, you can check this on one of Microsoft Docs tutorials: https://support.microsoft.com/en-us/help/301240/how-to-implement-forms-based-authentication-in-your-asp.net-applicatio

I assume you would like to gain industry valid skills for implementing authentication and authorization in a asp.net web environment. If this is the objective behind your question, it would likely take you the time to learn all of this for the same time it would take you to learn asp.net Identity, which handles many things for you.

In either scenarios it will take you a long time to develop your app without using the Entity Framework and unless you use Identity you have to go a long way to implement your own security features, especially of high quality. Trust me I have been there, done that.

There will be a learning curve, but the best way forward is to use EF to save you tons of time, also ASP.NET Identity for nowadays relevant skills and also to save you tons of time. It's worth comparing Web Forms and MVC too, MVC is a better choice for a dynamic full featured modern application.

I wish there was a simpler answer to your question, but solving this problem the way you intend to will not help you at all in the future and it will not be used in a real application.

The answer is subjective, but in my opinion you can make a fresh start with MVC, EF and Identity, it will take you the same time to learn the right way to do what you intend to do now, but it will give you skills you can use in the future in a production environment and also concepts not only limited to ASP.NET. Take the learning curve.

Dimitar Nikovski
  • 973
  • 13
  • 15
  • I don't plan work on working with asp.net. I have modified some of my code on the login to authenticate username, password and now security level using combobox. so typing "foo OR 1=1" without quotes does nothing when typed into username and password. But I do see where your coming from and do plan to learn more in the future to secure userdata better. Thanks for your help and suggestions. I will read through the link. – Phillip Gowens Jul 10 '17 at 11:12
0

Are you looking for 

SELECT CURRENT_USER;

or

SELECT SUSER_NAME();

and check with your table records?

Kannan Kandasamy
  • 13,405
  • 3
  • 25
  • 38