first off, you should be using a paramatized query if you want to avoid SQL injection problems 
this is the code used by the Snitz .Net membership provider to validate a user (may be a little buggy as I normally write in C# not VB, so had to convert it.
Public Overloads Overrides Function ValidateUser(ByVal username As String, ByVal password As String) As Boolean
Dim sql As String = "Select MEMBER_ID From FORUM_MEMBERS WHERE M_NAME=@Username AND M_PASSWORD=@Password"
' Using
Dim conn As SqlConnection = New SqlConnection(connStr)
Try
' Using
Dim cmd As SqlCommand = New SqlCommand(sql, conn)
Try
Dim paramName As SqlParameter = New SqlParameter
paramName.ParameterName = "@Username"
paramName.Value = username
cmd.Parameters.Add(paramName)
Dim paramPwd As SqlParameter = New SqlParameter
paramPwd.ParameterName = "@Password"
paramPwd.Value = SHA256Hash(password)
cmd.Parameters.Add(paramPwd)
Try
conn.Open
Dim reader As SqlDataReader = cmd.ExecuteReader
If reader.HasRows Then
Return True
Else
Return False
End If
Catch
Return False
End Try
Finally
CType(cmd, IDisposable).Dispose()
End Try
Finally
CType(conn, IDisposable).Dispose()
End Try
End Function
Public Shared Function SHA256Hash(ByVal Data As String) As String
Dim sha As SHA256 = New SHA256Managed
Dim hash As Byte() = sha.ComputeHash(Encoding.ASCII.GetBytes(Data))
Dim stringBuilder As StringBuilder = New StringBuilder
For Each b As Byte In hash
stringBuilder.AppendFormat("{0:x2}", b)
Next
Return stringBuilder.ToString
End Function
or if you want the C# version
public static string SHA256Hash(string Data)
{
SHA256 sha = new SHA256Managed();
byte[] hash = sha.ComputeHash( Encoding.ASCII.GetBytes(Data) );
StringBuilder stringBuilder = new StringBuilder();
foreach( byte b in hash )
{
stringBuilder.AppendFormat("{0:x2}", b);
}
return stringBuilder.ToString();
}
public static bool ValidateUser(string username, string password)
{
string sql = "Select MEMBER_ID From FORUM_MEMBERS WHERE M_NAME=@Username AND M_PASSWORD=@Password";
using (SqlConnection conn = new SqlConnection(connStr))
{
using (SqlCommand cmd = new SqlCommand(sql, conn))
{
SqlParameter paramName = new SqlParameter();
paramName.ParameterName = "@Username";
paramName.Value = username;
cmd.Parameters.Add(paramName);
SqlParameter paramPwd = new SqlParameter();
paramPwd.ParameterName = "@Password";
paramPwd.Value = SHA256Hash(password);
cmd.Parameters.Add(paramPwd);
try
{
conn.Open();
SqlDataReader reader = cmd.ExecuteReader();
if (reader.HasRows)
{
return true;
}
else
{
return false;
}
}
catch {
//throw new Exception("Login Error");
return false;
}
}
}
}
<
ASP.NET 2.0 Login Integration
Posted - 01 February 2007 : 17:30:34
