Login | Register   
LinkedIn
Google+
Twitter
RSS Feed
Download our iPhone app
TODAY'S HEADLINES  |   ARTICLE ARCHIVE  |   FORUMS  |   TIP BANK
Browse DevX
Sign up for e-mail newsletters from DevX


advertisement
 

Making Sausages : Page 2


advertisement
Build a Sample Application
For this demonstration, I'm going to assume that you're using SQL Server 2000, and that you have a table named Users in which you're going to store authentication information. I've created such a table with columns named UserId (int primary key, identity), EmailAddress (nvarchar 100), FullName (nvarchar 50, allow nulls), UserHash (nvarchar 50), and UserSalt (nvarchar 50). In addition, I've created stored procedures that add and retrieve hash/salt values for a user. The following stored procedure adds a user:

CREATE PROCEDURE ws_AddNewUser @UserHash varchar(50), @UserSalt varchar(50), @EmailAddress varchar(255), @FullName varChar(50) AS DECLARE @UserId int SELECT @UserId = UserId FROM Users WHERE EmailAddress = @EmailAddress IF @UserId > 0 RETURN @UserId ELSE BEGIN INSERT INTO Users (UserHash, UserSalt, EmailAddress, FullName) VALUES (@UserHash, @UserSalt, @EmailAddress, @FullName) RETURN @@IDENTITY END GO

The following stored procedure retrieves a user's hash and salt values, given an email address:

CREATE PROCEDURE ws_Validateuser @EmailAddress nvarchar(255), @UserHash varchar(50) output, @UserSalt varchar(50) output AS SET NOCOUNT ON DECLARE @UserId int SELECT @UserId = UserId, @UserHash = UserHash, @UserSalt = UserSalt FROM Users WHERE EmailAddress = @EmailAddress IF @UserId Is Null RAISERROR ('The specified user does not exist', 16, 1) ELSE RETURN GO

Listing 1 includes the code from a class I've created named ValidationHelper. All its methods are shared/static, so you don't have to create an instance of this class before calling its methods. I don't have room here to discuss all the code in the ValidationHelper class, but hopefully, the comments in the code elucidate any confusing parts. To quickly sum up what's going on, the HashString method here calls the ComputeHash method of the SHA1 class, creating an array of bytes containing the hashed value of the salt+password combination. Both the ValidateUser and CreateUser procedures in the ValidationHelper class end up calling the HashString method. The code in Listing 1 includes all the code in the ValidationHelper class.

To use the ValidationHelper class, you'll need to add a new class to your project and copy in the code. Then, when you need to add a user to your database, call the ValidationHelper.CreateUser method, passing in the email address, full name, and entered password. When you want to validate a user, call the ValidationHelper.ValidateUser method, supplying the email address and the entered password. You may, of course, want to modify these procedures to fit your own needs, but at least the code here provides a good starting point.

I suppose this month's column provides a bit too much information for so small a space. That reminds me of a trip I took recently on Northwest Airlines... Never mind, you've heard that story already. There are, however, many resources available online for more information on hashing, salting, and security in general. Start by searching at msdn.microsoft.com for the keywords "hash salt password" and you'll find some useful references. And finally, if you find yourself incarcerated on a plane showing a documentary on making sausages, simply say "no." Take a much-needed nap instead. Or fire up the laptop and work. You'll be happier in the long run.



Ken Getz is a senior consultant with MCW Technologies and splits his time between programming, writing, and training. He specializes in tools and applications written in Visual Studio .NET and Visual Basic. Ken is the author of the highly rated .Finalize() column in CoDe Magazine. He is also the co-author of several best-selling books, including Access 2002 Developer's Handbooks with Paul Litwin and Mike Gunderloy, Visual Basic Language Developer's Handbook with Mike Gilbert, and VBA Developer's Handbook with Mike Gilbert (Sybex). He co-wrote several training courses for Application Developer's Training Company, including VB.NET, ASP.NET, Access 2000 and 97, Visual Basic 6, and Visual Basic 5 seminars. He has also recorded video training for AppDev covering VB.NET, ASP.NET, VB6, Access 2000, and Access 97. Ken is a frequent speaker at technical conferences and has spoken often at Microsoft's Tech-Ed conference. Ken's also a technical editor for Access-VB-SQL Advisor magazine and a columnist for Informant Publications' asp.netPRO magazine..
Comment and Contribute

 

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Sitemap
Thanks for your registration, follow us on our social networks to keep up-to-date