I have an procedure to check password in SQL server, but its wrong, can someone explain and help me ?
If the password not contain 1 upper letter, 1 number and minium 8 charracter, this procedure will return an message.
CREATE OR ALTER PROCEDURE PaswordCompatibilityCheck
#Password nvarchar(200),
#ConfirmPassword nvarchar(200)
AS
BEGIN
if #Password NOT LIKE '%(?=.*\d)(?=.*[A-Z]).{8,}%'
BEGIN
SELECT 'The password must contain at least 1 capital letter and 1 number, minimum of 8 characters' as message, 'Error' as type
RETURN -- We need return here for exit the procedure.
END
END
----EXEC PaswordCompatibilityCheck 'PassWord101','PassWord101'
SQL Server does not support native regex in this way. However, its LIKE operator is enhanced and does support a bit of regex functionality. You may try the following version:
CREATE OR ALTER PROCEDURE PaswordCompatibilityCheck
#Password nvarchar(200),
#ConfirmPassword nvarchar(200)
AS
BEGIN
IF NOT #Password LIKE '%[0-9]%' OR NOT #Password LIKE '%[A-Z]%' OR
LEN(#Password) < 8
BEGIN
SELECT 'The password must contain at least 1 capital letter and 1 number, minimum of 8 characters' as message, 'Error' as type
RETURN -- We need return here for exit the procedure.
END
END
----EXEC PaswordCompatibilityCheck 'PassWord101','PassWord101'
Related
I have this procedure, but it doesn't work..I can't figure it out why. Any ideas what am I doing wrong?
CREATE PROCEDURE [dbo].[spCheckLogin]
( #Username varchar(30),
#Password varchar(15))
AS
BEGIN
Declare
#Result int = 0;
IF (#Password=(SELECT password from users where Username=#Username))
set #Result=1
ELSE
set #Result=0
return #Result
END
GO
The comparison you are using is incorrect. It should be something like:
IF EXISTS (SELECT 1 from users where Username=#Username AND password = #password)
Also note that storing passwords in plaintext is not a good practice. Suggested reading: Why are plain text passwords bad, and how do I convince my boss that his treasured websites are in jeopardy?
Instead of a return value you would want to use an output value. However a return value is of type integer, thus might work for you.
You would never want to use a plain password stored, but I would assume you are doing this just for testing purposes on a hobby project.
CREATE PROCEDURE [dbo].[spCheckLogin]
( #Username varchar(30),
#Password varchar(15))
AS
BEGIN
Declare #Result int = case
when exists (SELECT *
from users
where Username=#Username and password = #Password))
THEN 1
ELSE 0
END
return #Result
END
GO
Like metnioned, use an OUTPUT paramter:
CREATE PROC [dbo].[spCheckLogin] #Username varchar(30),
#Password varchar(30),
#Success bit OUTPUT
AS
BEGIN
IF EXISTS (SELECT 1
FROM users
WHERE Username = #Username
AND Password = #Password)
BEGIN
SET #Success = 1;
END
ELSE
BEGIN
SET #Success = 0;
END
END
But, also, as mentioned, don't store passwords in an unhashed and unsalted format in your database. If you are, change your design.
I have an requirement to restrict the number of digits in parameter to be passed into Stored procedure. consider below stored procedure sample.
Create procedure Sp_test
#uniqueID1 varchar(100),
#uniqueID2 varchar(100),
#uniqueID3 varchar(100)
as
Begin
select x,y,z
from the table1 inner join table2 on a=b
Where UniqueID in (#unitID1,#unitID2,#unitID3)
end
Now while I pass the parameter values, I have to check the number of digits its given,
Say exec sp_test '123456','456789','12356'
The number of digits will be always above 4 or 5 digits. It should not be less than 4 digits. I need to have a check of the same in stored procedure.
NOTE: Here Icould have used single parameter to pass multiple unique IDs , but I am using it in another application where this has to be passed as different parameter.
Please help me solving it.
Maybe something as simple as using a IF..ELSE?
USE Sandbox;
GO
CREATE PROC Sample_sp #id1 varchar(5), #Id2 varchar(5) AS
IF LEN(#id1) IN (4,5) AND LEN(#id2) IN (4,5) BEGIN
PRINT 'Do your SP stuff here.';
SELECT #id1, #Id2;
END ELSE BEGIN
RAISERROR('An ID must have a length of 4 or 5 characters.',11,1);
END
GO
EXEC Sample_sp '12345', '6789'; --This will work, because both values are of length 4 or 5
GO
EXEC Sample_sp '12345', '678901'; --This will work, because the value would be truncated.
GO
EXEC Sample_sp '123456', '6789'; --This will work, because the value would be truncated.
GO
EXEC Sample_sp '1234', '6789'; --This will work, because both values are of length 4 or 5
GO
EXEC Sample_sp '123', '6789'; --Will fail, ID1 has a length of 3
GO
DROP PROC Sample_sp;
If you don't want the truncation (or at least fail if more than 5 characters are supplied), then I'd suggest increasing the value to a varchar(6). It'll still cause truncation, but considering you only care if the value of 6 (or more characters), both lengths 6 and 500 fulfil that requirement; thus if a parameter with 500 characters is passed, it'll truncate to a varchar(6) and then still fail the check and cause the error.
I am creating a login page that receives a value (string) of an email address and also has a property of email confirmed (bool). I am trying to create a stored procedure which checks if the email address that is received from the client side matches with a string value in the database. Any suggestions for this type of query?
SELECT COUNT(*) FROM dbo.EmailAddressTable WHERE EmailAddress = #YourClientEmailAddress
This query will return the number of rows in your table with the email address provided by the client. If you have 1 or more rows, you have a match. If you have 0 rows, you don't.
#Email nvarchar(256)
, #EmailConfirmed bit output
as
begin
/*
DECLARE #EmailConfirmed bit
EXEC dbo.UserProfiles_CheckIfConfirmed 'c12#sab.com' , #EmailConfirmed OUTPUT
SELECT #EmailConfirmed
DECLARE #EmailConfirmed bit
EXEC dbo.UserProfiles_CheckIfConfirmed 'john#sab.la' ,#EmailConfirmed OUTPUT
SELECT #EmailConfirmed
*/
SELECT #EmailConfirmed = EmailConfirmed FROM ASPNETUSERS WHERE Email = #Email
END
if 'john#sab.la' exists than EmailConfirmed will output a value of 1. Otherwise 0
Following is my stored procedure which stores data in two tables namely SuccessfulLogins and FailedLogins
ALTER procedure [dbo].[Proc_CheckUser]
#UserID VARCHAR(50),
#Password VARCHAR(50)
AS
SET NOCOUNT ON
DECLARE #ReturnVal VARCHAR(500)
DECLARE #PasswordOld VARCHAR(50)
DECLARE #Type NVARCHAR(50)
DECLARE #IP NVARCHAR(50)
SELECT #PasswordOld = Password,#Type=ClientType,#IP=IPAddress
FROM Clients
WHERE Username = #userid
IF (#PasswordOld IS NULL)
BEGIN
SET #ReturnVal='1|Incorrect Username'
INSERT INTO FailedLogins(Username,Password,ClientType,Reason,IPAddress)
VALUES(#UserID,Hashbytes('SHA1',#Password),#Type,'Invalid Username',#IP)
END
ELSE
BEGIN
IF (#PasswordOld!=Hashbytes('SHA1',#Password))
BEGIN
SET #ReturnVal='1|Incorrect Password'
INSERT INTO FailedLogins(Username,Password,ClientType,Reason,IPAddress)
VALUES(#UserID,Hashbytes('SHA1',#Password),#Type,'Invalid Password',#IP)
END
ELSE
BEGIN
SET #ReturnVal='0|Logged in Successfully' +'|'+ rtrim(cast(#Type as char))
INSERT INTO SuccessfulLogins(Username,Password,ClientType,Reason,IPAddress)
VALUES(#UserID,Hashbytes('SHA1',#Password),#Type,'Valid Login Credentials Provided',#IP)
END
END
SELECT #ReturnVal
The problem here is that whenever I enter an Invalid Username,the stored procedure returns the correct message ie Incorrect Username but it stores NULL values in the fields ClientType and IPAddress in Failed Logins Table
Following is my insert query for Invalid username
IF (#PasswordOld!=Hashbytes('SHA1',#Password))
BEGIN
SET #ReturnVal='1|Incorrect Password'
INSERT INTO FailedLogins(Username,Password,ClientType,Reason,IPAddress)
VALUES(#UserID,Hashbytes('SHA1',#Password),#Type,'Invalid Password',#IP)
END
Can anyone help me to rectify this.How to check condition for username?
Thanks
Your code reads
SELECT #PasswordOld = Password,#Type=ClientType,#IP=IPAddress
FROM Clients
WHERE Username = #userid
Wouldn't this mean that no row will be returned for a Username that does not exist? So, the values for ClientType and IPAddress will not get populated and will remain NULL, which would be the expected functionality.
However, if you want to store some value, or these fields are not nullable, assign a static value to these parameters.
Your query is correct. When there is no match for the Username = #UserId , The #Type , #IP variables will be null. Since there is no record in the table for that UserName. What you can do is that in the declaration you can initiate to some default value,so that it will be inserted to table FailedLogins.
DECLARE #Type NVARCHAR(50)="DefaultType/NoType"
DECLARE #IP NVARCHAR(50)="0.0.0.1"
Something like the above.
If the username is invalid it does not appear in the table Clients so your fields pulled from that table will also be NULL. To negate this you could decide to use default values for ClientType and IPAddress using static values in your declarations, but storing this would just be obsolete data and I would think changing the structure of FailedLogins to not store this would seem more logical.
im trying to create a procedure query with ms-sql for my game but Im kinda stucked..
Lets say,
I have a database with username and password rows.
I use the procedure query to select the username and password.
If everything is right, then the procedure will output the "result-code"
How I call the procedure query
BEGIN_DECLARE_SQLUNIT( SP_AccountSelect, "{ call AccountAuth(?,?) }" )
BEGIN_VARIABLE()
char m_szUserID[MAX_SIZE_USER_ID + 1];
char m_szUserPW[MAX_SIZE_USER_ID + 1];
int m_nResultCode;
END_VARIABLE()
BEGIN_PARAM(3)
PARAM_ENTRY_STR(SQL_PARAM_INPUT, m_szUserID)
PARAM_ENTRY_STR(SQL_PARAM_INPUT, m_szUserPW)
PARAM_ENTRY(SQL_PARAM_OUTPUT, m_nResultCode)
END_PARAM()
END_DECLARE_SQLUNIT()
procedure I have till now:
ALTER PROCEDURE [dbo].[AccountAuth] /* Procedure Name. */
#m_szUserID varchar(20),
#m_szUserPW varchar(50)
AS
SET NOCOUNT ON;
DECLARE #m_nResultCode int
select #m_nResultCode = 100
BEGIN
SELECT #m_szUserID = username, #m_szUserPW = password
FROM account
WHERE username = #m_szUserID;
END
my problem now is that I dont know how I make IFS like checking if the username is right, if the password is right.. because I always have to make different result code. Login wrong = result code 100, wrong username = 101, wrong password = 102..
Im searching for hours now but I cant find anything useful.
Does anyone know a link where I can find helpful things?
This is the most basic procedure you can write for a login call, but in real life application you will need to check logins which exists but maybe disabled, deleted, not logged in for over some period of time and bla bla. You can add as many as check needed to make sure only authorised people has access.
Try something like this.....
ALTER PROCEDURE [dbo].[AccountAuth] /* Procedure Name. */
#m_szUserID varchar(20),
#m_szUserPW varchar(50),
#m_nResultCode int OUTPUT
AS
BEGIN
SET NOCOUNT ON;
DECLARE #Password varchar(50);
IF EXISTS(SELECT 1 FROM account WHERE username = #m_szUserID)
BEGIN
SELECT #Password = [password]
FROM account
WHERE username = #m_szUserID;
IF (#Password = #m_szUserPW)
BEGIN
SET #m_nResultCode = 1; -- 1 for successful login
END
ELSE
BEGIN
SET #m_nResultCode = 0; -- 0 for Unsuccessful login
END
END
ELSE
BEGIN
SET #m_nResultCode = 2; -- 2 if User Name does not exists
END
END
Calling Stored Procedure
DECLARE #OUT_Result INT;
EXECUTE [dbo].[AccountAuth] #m_szUserID = 'UserName'
,#m_szUserPW = '123456'
,#m_nResultCode = #OUT_Result OUTPUT
-- Now do what ever you need to do with #OUT_Result variable.