Home/ Questions/Q 8307159
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-08T18:28:20+00:00

I’m building a local application that has a login form. I’m retrieving the Username

  • 0

I’m building a local application that has a login form.
I’m retrieving the Username and Password from a database.

What is the safest way to proceed from here because there are many things I can do and i’m wondering if one way is better than another one.

I can simply SELECT directly from my textbox:

SELECT UserId, Password FROM Users_Table WHERE UserId = '" + userIdTextBox.Text + "' AND Password = '" + passwordTextBox.Text + "'".

I can SELECT everything from that table and then compare a SqlDataReader with the textbox.

SELECT UserId, Password FROM Users_Table`<br>
While (myReader.Read())
{
   If (myReader["UserId"] == UserIdTextBox.Text && ...password)
   {
   }  
}

And there are many other way to do it. What is the best/safest way to proceed ?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team
    1. Use parameterized queries, not concatenated text as a SQL command.
    2. Hash your passwords and store the hashses. Add salt to taste.
    3. Upon a login attempt, compare the hash of the user-input to the hashed password.

    Basically, under no circumstances should you want anyone, including sysadmins, to possibly know the value of the password itself. If you design and code with this rule in mind, and try not to re-invent the wheel, you’ll be fine. If you’re manually creating passwords, then you should probably have a “must change password” option enabled for first logon (thanks, Chris Shain).

    • 0