[RESOLVED] Sql insert query with encrypted value

[invader7]

Hello, i have this code to encrypt the value of a password textbox

Code:

System.Security.Cryptography.MD5CryptoServiceProvider x = new System.Security.Cryptography.MD5CryptoServiceProvider();
byte[] data = System.Text.Encoding.ASCII.GetBytes(password_textBox.Text);
data = x.ComputeHash(data);
string encryptedpassword = System.Text.Encoding.ASCII.GetString(data);

and i'm trying to pass that value to my database with this code

Code:

string source = @"Provider=Microsoft.ACE.OLEDB.12.0;Data Source=database.accdb;Mode=ReadWrite;";
string query = "Insert into users (name,password) values ('" + name_textBox.Text + "','" + encryptedpassword + "')";

                    OleDbConnection conn = new OleDbConnection(source);
                    OleDbCommand cmd = new OleDbCommand(query, conn);
                    cmd.Connection = conn;
                    conn.Open();
                    cmd.ExecuteNonQuery();
                    conn.Close();

but i get an error because the encrypted password contains the character "?"

is there a way to ignore what's inside query's values and just pass it to database ? or another (better) way to encrypt the textbox's text ?

i tried to put a @ but i had no luck

Code:

string query = @"Insert into users (name,password) values ('" + name_textBox.Text + "','" + encryptedpassword + "')";

[Arjay]

What was the error?

[invader7]

translating from greek it says,

syntax error missing operator in query " 'first value','second value' "

first value = here is the encrypted password which starts with ?

[invader7]

i changed my encryption code to this and i solved my problem

Code:

           System.Security.Cryptography.MD5CryptoServiceProvider x = new System.Security.Cryptography.MD5CryptoServiceProvider();
            byte[] bs = System.Text.Encoding.UTF8.GetBytes(password_textBox.Text);
            bs = x.ComputeHash(bs);
            System.Text.StringBuilder encryptedpassword = new System.Text.StringBuilder();
            foreach (byte b in bs)
            {
                encryptedpassword.Append(b.ToString("x2").ToLower());
            }

and i get my encrypted password with encryptedpassword.ToString()

[TechGnome]

Instead of concatenating the SQL string together, use parameters... makes life a lot easier.

-tg

[invader7]

i'll have it in mind thanks a lot

[Arjay]

Or pass parameters to a stored procedure.

[invader7]

i need to read about them and find how it works for future projects, i know stored procedures are good when you want security

[Arjay]

i need to read about them and find how it works for future projects, i know stored procedures are good when you want security

They're good for more than that as well. For example:

1) Queries within stored procedures usually get a query plan generated for them - which means the queries are optimized and run faster.

2) Stored procedures can be thought of as a form of 'interface' - meaning that you have flexibility to change the sql code within the store procedure without having to change the C# code that calls it. As long as the interface signature remains the same, you can change whatever you want beneath the covers.

3) Bug fixes/feature improvements can often be made on the database layer without having to recompile/deploy C# code.

4) Development is easier (IMO) when you use stored procedures. The reason is because you can develop and test the stored procedures on the sql side (so you know your db code works correctly) before calling the sproc(s) from the c# code. If you have trouble when call the sproc from C#, all you need to check is whether your passing the correct input to the sprocs. This is two pronged approach is much easier than trying to debug C# and sql query code all at once.

[invader7]

i can see.... thanks for your advices, i'll study them