VB.net 'sessions'

[three_sixteen]

Hey guys, I'm looking for some advice here. I'm writing a program that interfaces with a remote SQL database. I wanted to know how you guys would securely pass along SQL commands to the server. I don't know how to go about sending the user password securely so it can't be snooped with a packet sniffer when people execute functions within the program.

My fear is that it's being passed in plain text.

How, also, would you pass information securely within the program so it can't be modified in memory?

This is probably a very wide scope problem, so I appreciate any response.

ReadOnly connectionString As String = "server=server; user id=user; password=password; database=database"
    Public Function userLogin(ByVal sender As System.Object, ByVal u As String, ByVal p As String) As String

        db.ConnectionString = connectionString

        Try
            db.Open()

            query.Connection = db
            query.CommandText = "SELECT username FROM authors WHERE password = MD5('" & p & "')"

            userName = query.ExecuteScalar

            db.Close()
            db.Dispose()
            Return userName

        Catch myerror As MySqlException
            MessageBox.Show("Error Connecting to Database: " & myerror.Message)
            db.Dispose()
            Return False
        End Try
    End Function

 

[Fark_Maniac]

you can encode the password on the mysql side with sha

can you encode the password with sha in VB.NET before sending? if so, then you can encode the password before sending, then compare the encoded values.

 

[three_sixteen]

you can encode the password on the mysql side with sha

can you encode the password with sha in VB.NET before sending? if so, then you can encode the password before sending, then compare the encoded values.

Right, I was thinking that - but I'm not sure if that would work... I guess I don't know enough about how encryption works. But if encoded in SHA before going to the SQL server will the SQL server be able to decode it properly to match it? To maybe explain better - will both computers use the same key to send/recieve the password?

 

[Fark_Maniac]

I do this with my php web site.

If I add a record manually to mysql, I have the mysql server encode the password using the "sha()" function.

So now that we have a record with a username (in text we can understand) and a password (one that has been encoded and then stored as a text attribute). In php, I will grab the entered password from the form, encode it with php's "sha()" function and store that in a variable. I will make a connection to the mysql server and make a comparison between the php's "sha()" generated string and the text in the password field on the mysql server.

that may sound a bit garbled up...but kinda hard to describe

 

[three_sixteen]

I do this with my php web site.

If I add a record manually to mysql, I have the mysql server encode the password using the "sha()" function.

So now that we have a record with a username (in text we can understand) and a password (one that has been encoded and then stored as a text attribute). In php, I will grab the entered password from the form, encode it with php's "sha()" function and store that in a variable. I will make a connection to the mysql server and make a comparison between the php's "sha()" generated string and the text in the password field on the mysql server.

that may sound a bit garbled up...but kinda hard to describe

No, that makes sense. So both mysql and php use the same seed to encode it to sha - it generates the same string.

I'll give that a shot and see what happens. Thanks!