9

I'm using PBKDF2 in my application to store users passwords. In my Users table, I have a Salt and Password column which is determined like this:

// Hash the users password using PBKDF2
var DeriveBytes = new Rfc2898DeriveBytes(_Password, 20);
byte[] _Salt = DeriveBytes.Salt;
byte[] _Key = DeriveBytes.GetBytes(20);  // _Key is put into the Password column

On my login page I need to retrieve this salt and password. Because they're byte[] arrays, I store them in my table as varbinary(MAX). Now I need to retrieve them to compare against the users entered password. How would I do that using SqlDataReader? At the moment I have this:

cn.Open();
SqlCommand Command = new SqlCommand("SELECT Salt, Password FROM Users WHERE Email = @Email", cn);
Command.Parameters.Add("@Email", SqlDbType.NVarChar).Value = _Email;
SqlDataReader Reader = Command.ExecuteReader(CommandBehavior.CloseConnection);
Reader.Read();
if (Reader.HasRows)
{
    // This user exists, check their password with the one entered
    byte[] _Salt = Reader.GetBytes(0, 0, _Salt, 0, _Salt.Length);
}
else
{
    // No user with this email exists
    Feedback.Text = "No user with this email exists, check for typos or register";
}

But I know for a fact that it's wrong. Other methods in Reader have only one parameter being the index of the column to retrieve.

Improve this question
2
  • How exactly do you know its wrong? Because your doing exactly what all the other related questions are doing. Are you sure your byte array you create can fit in varbyte Commented Nov 11, 2012 at 16:25
  • VS throws up an error saying it can't convert long to byte[] for one, and the parameter descriptions don't match what I put in, like Salt._Length. Commented Nov 11, 2012 at 16:28

2 Answers 2

Reset to default
14

Casting it directly to a byte[] has worked for me so far.

using (SqlConnection c = new SqlConnection("FOO"))
{
    c.Open();
    String sql = @"
        SELECT Salt, Password 
        FROM Users 
        WHERE (Email = @Email)";
    using (SqlCommand cmd = new SqlCommand(sql, c))
    {
        cmd.Parameters.Add("@Email", SqlDbType.NVarChar).Value = _Email;
        using (SqlDataReader d = cmd.ExecuteReader())
        {
            if (d.Read())
            {
                byte[] salt = (byte[])d["Salt"];
                byte[] pass = (byte[])d["Password"];

                //Do stuff with salt and pass
            }
            else
            {
                // NO User with email exists
            }
        }
    }
}
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

3

I'm not sure why you think the code you wrote is wrong (please explain). But specifically for the error:
Notice that GetBytes returns a long not a byte array.

So, you should use: Reader.GetBytes(0, 0, _Salt, 0, _Salt.Length);

or
long bytesRead = Reader.GetBytes(0, 0, _Salt, 0, _Salt.Length);

Improve this answer

2 Comments

If you look at the needed parameters for the method you can see that my parameters aren't correct, but I don't know what to specify. And I can't convert it to a long, it has to be returned as a byte array for my password checking to work.
@JamesDawson Please read the description of the GetBytes functions (which I posted in my answer): Reads a stream of bytes from the specified column offset into the buffer an array starting at the given buffer offset. In other words, in your example will copy the byte stream of column number 0 into the _Salt variable. Which is exactly what you asked for. (The return value of the GetBytes function is only the number of bytes read and therefore it's a long). Did you change the code as I recommended? Did it work?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.