0

I'm looking to do an easy way to do a login without using a web API. I would like to know if it's possible to do a login with a SQL query which is doing a verification in the user table to verify if the user is existing or not. Using SQL server and not SQLite

[HttpPost]
        public IActionResult Verify(Teacher teacher)
        {
            // Select the user who is trying to connect
            string select = "SELECT * FROM [Db2021QuizLandStudent].[TestManagement].[Teacher] WHERE Email='" + teacher.Email + "' AND Password='" + teacher.Password + "'";
            // Update the date of the last connection
            string update = "UPDATE [Db2021QuizLandStudent].[TestManagement].[Teacher] SET LastConnexion = CURRENT_TIMESTAMP WHERE Email='" + teacher.Email + "' AND Password='" + teacher.Password + "'";
            string query = select + ";" + update;

            connectionString();
            con.Open();

            SqlCommand com = new SqlCommand(query, con);
            dr = com.ExecuteReader();

            if (dr.Read())
            {
                con.Close();
                return View("Test");
            }
            else
            {
                con.Close();
                return View("Error");
            }
        }

I did something like that in ASP.NET and i would like to do something like that in XAMARINS.

Thanks advance for the help :D

DiamonnD
  • 5
  • 3
  • 2
    yes, it's possible, but it is a horrible, terrible, very bad idea – Jason Aug 17 '21 at 11:59
  • 4
    It's 2021, please **learn** from the mistakes of those from the last 3 decades. **NEVER** inject unsanitised strings into your SQL statement; **parametrise**. **NEVER** store plan text passwords; salt and hash them. These are problems that were known and identified in the 90's, it's long past time both of thse trivial security vulnerabilities were dead. – Larnu Aug 17 '21 at 12:01
  • 1
    Are you attempting to write an app for a mobile device? Do you require that device to be connected to the same network on which your sql server instance is present? Lastly it is a TERRIBLE idea to use 3-part names in your SQL code. Why? If your application database is moved (or copied) to a different name, all those references in your code must be changed. Let the connection determine the database to use. – SMor Aug 17 '21 at 12:02
  • And some additional information about [storing passwords in a database](https://www.geeksforgeeks.org/store-password-database/) – SMor Aug 17 '21 at 12:11
  • As an example, if I entered my email address as `' AND 1=1;--` then your attempt would return the rows for ***every*** user in your table, maybe display all their password for me to consume and then update the login date and time for *every* user. – Larnu Aug 17 '21 at 12:21
  • Yes I clearly understand that's a bad idea. I just wanted to try to do something i'm able to do first then improve it later. It won't be something that i will reuse somewhere. – DiamonnD Aug 17 '21 at 12:48
  • The login in my app isn't very important, it's only for the form firstable, but i wanted to get a little verification with a SQL query like the example above – DiamonnD Aug 17 '21 at 12:49
  • Check this link(https://stackoverflow.com/questions/43307490/how-to-connect-xamarin-forms-with-sql-server), it may help you. – Wen xu Li - MSFT Aug 18 '21 at 09:43
  • Thank you very much, gonna check that ;) – DiamonnD Aug 18 '21 at 12:12
  • I hope it can help you – Wen xu Li - MSFT Aug 19 '21 at 09:45

0 Answers0