HiveBrain v1.2.0
Get Started
← Back to all entries
patterncsharpMinor

Passing a password to a viewmodel

Submitted by: @import:stackexchange-codereview··
0
Viewed 0 times
passingviewmodelpassword

Problem

I've got a project I've been working on that connect to a file server and writes some data to a text file. In order to do this I added a textbox for the user to type their username and a passwordbox well for the password. In my models I have an interface called IPassword that looks like the following:

public interface IPassword
{
    SecureString Password { get; }
}


Using MVVM Light I created a RelayCommand and tied it to a button. When the button is clicked it calls the function ExportList (I've removed any code relating to my file server location):

```
public void ExportList(object parameter)
{
var passwordContainer = parameter as IPassword;
NetworkCredential credentials;
string folder = String.Empty;

if (passwordContainer != null && IsEnabled == true)
{
var securePassword = passwordContainer.Password;
var password = ConvertToUnsecureString(securePassword);

credentials = new NetworkCredential();
credentials.UserName = Username;
credentials.Password = password;
credentials.Domain = "domain name";

folder = "folder location";
WriteToNetworkFolder(folder, credentials);
}

else
{
folder = "local folder location";
WriteToLocalFolder(folder);
}
}

private string ConvertToUnsecureString(SecureString password)
{
if (password == null)
{
return String.Empty;
}

IntPtr unmanagedString = IntPtr.Zero;
try
{
unmanagedString = Marshal.SecureStringToGlobalAllocUnicode(password);
return Marshal.PtrToStringUni(unmanagedString);
}

finally
{
Marshal.ZeroFreeGlobalAllocUnicode(unmanagedString);
}
}

private void WriteToNetworkFolder(string folder, NetworkCredential credentials)
{
// Open the connection to the server

Solution

Why don't you just use the overloaded constructor of the NetworkCredential class which takes the password as SecureString?

In this way you can remove the ConvertToUnsecureString() method at all and you don't have to read the decrypted value of the password.

It is always recommended to use System.IO.Path.Combine() instead of adding up the path by using string concatenation. In this way you will be safe regarding illegal characters in the path, missing \ etc.

Context

StackExchange Code Review Q#85414, answer score: 6

Revisions (0)

No revisions yet.