Difference between revisions of "Create register for ASP.Net Web App"
(→Creating the Page) |
(→Adding the code to handle the form) |
||
| Line 46: | Line 46: | ||
The code above uses `parameterised` SQL, add in the parameters in this way will protect from SQL Injection attacks. The data fields taken from the form is treated as a single item and are never treated as SQL. | The code above uses `parameterised` SQL, add in the parameters in this way will protect from SQL Injection attacks. The data fields taken from the form is treated as a single item and are never treated as SQL. | ||
| + | |||
| + | ==Storing Passwords== | ||
| + | Passwords should never be stored in a readable format. Instead they should be encrypted or hashed to make them unreadable. In order to use a suitable hashing function you need to include this line in the using section: | ||
| + | <syntaxhighlight lang=c#> | ||
| + | using System.Security.Cryptography; | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | Now, we need to hash the password before we save it (this should go in the if statement which checks if pass1 & pass2 are equal): | ||
| + | Passwords should never be stored in a readable format. Instead they should be encrypted or hashed to make them unreadable. In order to use a suitable hashing function you need to include this line in the using section: | ||
| + | <syntaxhighlight lang=c#> | ||
| + | string hash = ""; | ||
| + | var inputBytes = Encoding.UTF8.GetBytes(pass1); | ||
| + | var inputHash = SHA256.HashData(inputBytes); | ||
| + | hash = Convert.ToHexString(inputHash); | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | Now in the SQL Parameters section, make sure the hash is used instead of the password. | ||
Revision as of 14:56, 19 October 2024
Creating the Page
Add a new Razor Page and call it `register`.
Now add the following HTML form:
<form method="post">
Username: <input type="Text" name="user">
Email: <input type=Email" name="email">
Password: <input type="Password" name="pass1">
Confirm: <input type="Password" name="pass2">
<input type="submit">
</form>
Adding the code to handle the form
The code below initially gets the data from the form and stores it in some local variables. My `User` table essentially has an additional field called `status`. This is so we can approve users or have users with different access ability. Status of 0 could be unverified. The code below will also check that password and the confirm password are equal.
public IActionResult OnPost()
{
string username = Request.Form["user"];
string email = Request.Form["email"];
string pass1 = Request.Form["pass1"];
string pass2 = Request.Form["pass2"];
int status = 0;
if (pass1 == pass2)
{
using var connection = GetConnection;
connection.Open();
string sql = "insert into test values(@p1, @p2, @p3, @p4);";
using var Command = new MySqlCommand(sql, connection);
Command.Parameters.AddWithValue("@p1", username);
Command.Parameters.AddWithValue("@p2", pass1);
Command.Parameters.AddWithValue("@p3", email);
Command.Parameters.AddWithValue("@p4", status);
Command.ExecuteNonQuery();
connection.Close();
}
return Page();
}
The code above uses `parameterised` SQL, add in the parameters in this way will protect from SQL Injection attacks. The data fields taken from the form is treated as a single item and are never treated as SQL.
Storing Passwords
Passwords should never be stored in a readable format. Instead they should be encrypted or hashed to make them unreadable. In order to use a suitable hashing function you need to include this line in the using section:
using System.Security.Cryptography;
Now, we need to hash the password before we save it (this should go in the if statement which checks if pass1 & pass2 are equal): Passwords should never be stored in a readable format. Instead they should be encrypted or hashed to make them unreadable. In order to use a suitable hashing function you need to include this line in the using section:
string hash = "";
var inputBytes = Encoding.UTF8.GetBytes(pass1);
var inputHash = SHA256.HashData(inputBytes);
hash = Convert.ToHexString(inputHash);
Now in the SQL Parameters section, make sure the hash is used instead of the password.
