cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Is there a way to validate users already in Sybase db through a web interface?

former_SQLA_member1694978
Explorer

on ‎2010 Nov 23 2:42 PM

0 Kudos
2,813

I have to build a web interface using Sybase 11 backend. The database already has users and passwords that are generated by another application using GRANT CONNECT or ADD_USER statements. Is there a way to validate users against this database without having to create a full membership provider?

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
View Entire Topic
MCMartin
Participant
‎2010 Nov 23 4:02 PM

If you talk about ASP.NET MembershipProvider it is not so much effort to do this. You have to implement only the ValidateUser function to get it working. Only in the case that you want to allow the user to do self-administration than you will have to implement the rest too.

In 

public override bool ValidateUser(string Username, string Password)

you get the user and password in clear text and can use this e.g. in an 

OdbcConnection con=new OdbcConnection(string.Format("dsn=...;uid={0};pwd={1}",Username,Password));

If you can afterwards open the connection without an exception you know that the credentials have been the right ones.

Show replies
Show replies
former_SQLA_member1694978
Explorer
‎2010 Nov 23 9:25 PM
0 Kudos

The problem with this is the encryption of the passwords. Aren't Sybase's passwords stored as one-way hashes?

MCMartin
Participant
‎2010 Nov 24 7:54 AM
0 Kudos

Yes, but if you use the credentials to open the connection to the sybase db you will see if the connection is successful or not. If the password is wrong you will get an according exception. See edit above.

VolkerBarth
Contributor
‎2010 Nov 24 8:20 AM
0 Kudos

@Dan: From a security point of view, I think the approach as given by Martin and Mark is the correct one: Just try to find out whether the given credentials work - that's far better (and less error-prone and compatible) than somehow "lookup" the correct credentials and compare them with the given ones...

Ask a Question