Using Access to store Usernames and Passwords and opening via Visual Basic

Basically i am trying to create a programme, which needs to have some authorisat开发者_如何学编程ion.

When the application starts up, it starts straight into the login screen.

I want the Username and Password textboxes to read the database and if they match then progress to the next form but if they dont match then a message box will appear.

I also want to create groups of people so if a certain group of people log in they go to a certain form and if the another group of people log in i want them to go to a different form.

Also i want the password box to be * instead of visable text.

Can any one help, this is my code so far...

dbProvider = "PROVIDER=Microsoft.Jet.OLEDB.4.0;" dbSource = "Data Source = D:/Users.mdb"

    con.ConnectionString = dbProvider & dbSource

    con.Open()


    sql = "SELECT * FROM tblUsers"
    da = New OleDb.OleDbDataAdapter(sql, con)
    da.Fill(ds, "Users")

    con.Close()

    MaxRows = ds.Tables("Users").Rows.Count
    inc = -1


    If UserIDTextBox.Text = ds.Tables("tblUsers").Rows(0).Item("UserID") & User_PasswordTextBox.Text = ds.Tables("tblUsers").Rows(0).Item("Password") Then
        MsgBox("This have worked correctly!")
    Else
        MsgBox("This has not worked, try again!")
    End If

The first and most important thing you need to know is that it's almost always a bad idea to code your own authentication system. It's just so easy to do this in ways that seem to be right and even pass all your tests, but still have subtle, hard to spot errors that won't show up until a year later when you find out you were cracked six months ago. Always lean as much as possible on whatever authentication features are made available to you in your platform.

The next thing you need to know is that you do not store passwords in the database. Ever. The correct way to handle password matching is to use a salt to alter the original password in some simple way so that simple dictionary passwords will now no longer result in values that can be easily reversed by a google lookup, and then use use a cryptographic hashing algorithm like bcrypt, scrypt, or (if your really have to) sha1. Do not use md5. Examples of this are readily available on google, and will explain it far better than I can here. When someone wants to log in, you perform the same steps on their attempted password and now compare only the hashes. If you're not doing it this way, it's only a matter of time before your user's passwords become public knowledge.

Next up I noticed a problem with your database connection handling in your code. The code you have is not guaranteed to close the connection. con.Close() should always be in a Finally block, and for preference I like the Using block shorthand.

Finally, way near the bottom you try to use VB's string concatenation operator (&) as a logical AND. Oops. You want to use the AndAlso operator here instead.

Sam,

First of I second what Joel said, hash the passwords. Here's a link: What is the easiest way to encrypt a password when I save it to the registry?

As for the TextBox, just set the PasswordChar property to something like *, and it will mask the characters. You can also limit the length.

As for only allowing certain groups, if you're in a windows domain, you should use active directory groups. To determine is someone is a member of a group you can do something like:

def IsMemberOfAdGroup(grouName as string):
    windID = System.Security.PrincipalWindowsIdentity.GetCurrent()
    return System.Security.PrincipalWindowsPrincipal(windID).IsInRole(grouName)

This looks like a really good page, that covers what you're trying to accomplish.

ASP.NET 2.0 Forms Authentication Using Access Database