I have a simple
SqlConnection
using (var connection = new SqlConnection(connectionString))
{
connection.Open();
using (var command = new SqlCommand(commandString, connection))
{
command.Parameters.Add(new SqlParameter("mail", email));
command.Parameters.Add(new SqlParameter("password", password));
using (var reader = command.ExecuteReader())
{
while (reader.Read())
{
return true;
}
throw new InvalidDataException();
}
}
}
DECLARE @pass varchar(50);
SET @pass = @password;
DECLARE @pwdHash varbinary(max);
SET @pwdHash = HASHBYTES('SHA2_256', @pass);
SELECT * FROM Users
WHERE email=@mail AND pwd=@pwdHash;
DECLARE @pwdHash varbinary(max);
SET @pwdHash = HASHBYTES('SHA2_256', @password);
SELECT * FROM Users
WHERE email=@mail AND pwd=@pwdHash;
SqlParameter
String parameters are passed as nvarchar
by default; but your longer command casts @password
to varchar
which has a different binary representation and so would generate a different hash digest which would not match your existing records if their hashes were generated differently.
BTW, you should salt your hashes too.