Creating an MD5 hash in C# is straightforward using the built-in cryptography libraries.
✅ Best Practice: Use System.Security.Cryptography.MD5 for string or file hashing.
Example
using System; using System.Security.Cryptography; using System.Text; string ComputeMD5Hash(string input) { using (MD5 md5 = MD5.Create()) { byte[] inputBytes = Encoding.UTF8.GetBytes(input); byte[] hashBytes = md5.ComputeHash(inputBytes); StringBuilder sb = new StringBuilder(); for (int i = 0; i < hashBytes.Length; i++) { sb.Append(hashBytes[i].ToString("x2")); } return sb.ToString(); } }
Why use MD5.Create()? Creates a cryptographic service provider that calculates MD5 hashes efficiently.
For scenarios where you need to hash the contents of a file:
using System; using System.IO; using System.Security.Cryptography; string ComputeFileMD5(string filePath) { using (var md5 = MD5.Create()) using (var stream = File.OpenRead(filePath)) { byte[] hashBytes = md5.ComputeHash(stream); StringBuilder sb = new StringBuilder(); for (int i = 0; i < hashBytes.Length; i++) { sb.Append(hashBytes[i].ToString("x2")); } return sb.ToString(); } }
Why hash files this way? Streams the file content directly through the hash algorithm without loading the entire file into memory.
⚠️ Caution: MD5 is considered cryptographically broken and unsuitable for security purposes. For security-sensitive applications, use SHA-256 or better:
using (SHA256 sha256 = SHA256.Create()) { // Use the same pattern as MD5 examples // Just replace MD5.Create() with SHA256.Create() }
MD5 is still useful for non-security purposes like checksums and data verification.
Storing passwords as plain text is dangerous. Instead, you should hash them using a strong, slow hashing algorithm like BCrypt, which includes built-in salting and resistance to brute-force attacks.
Step 1: Install BCrypt NuGet Package
Before using BCrypt, install the BCrypt.Net-Next package:
dotnet add package BCrypt.Net-Next
or via NuGet Package Manager:
Install-Package BCrypt.Net-Next
Step 2: Hash a Password
Use BCrypt.HashPassword() to securely hash a password before storing it:
using BCrypt.Net; string password = "mySecurePassword123"; string hashedPassword = BCrypt.HashPassword(password); Console.WriteLine(hashedPassword); // Output: $2a$12$...
Step 3: Verify a Password
To check a user's login attempt, use BCrypt.Verify():
bool isMatch = BCrypt.Verify("mySecurePassword123", hashedPassword); Console.WriteLine(isMatch); // Output: True
Ensuring proper hashing should be at the top of your list when it comes to building authentication systems.
Closing a SqlDataReader correctly prevents memory leaks, connection issues, and unclosed resources. Here’s the best way to do it.
Using using statements ensures SqlDataReader and SqlConnection are closed even if an exception occurs.
using (SqlConnection conn = new SqlConnection(connectionString)) { conn.Open(); using (SqlCommand cmd = new SqlCommand("SELECT * FROM Users", conn)) using (SqlDataReader reader = cmd.ExecuteReader()) { while (reader.Read()) { Console.WriteLine(reader["Username"]); } } // ✅ Auto-closes reader here } // ✅ Auto-closes connection here
This approach auto-closes resources when done and it is cleaner and less error-prone than manual closing.
If you need explicit control, you can manually close it inside a finally block.
SqlDataReader? reader = null; try { using SqlConnection conn = new SqlConnection(connectionString); conn.Open(); using SqlCommand cmd = new SqlCommand("SELECT * FROM Users", conn); reader = cmd.ExecuteReader(); while (reader.Read()) { Console.WriteLine(reader["Username"]); } } finally { reader?.Close(); // ✅ Closes reader if it was opened }
This is slightly more error prone if you forget to add a finally block. But might make sense when you need to handle the reader separately from the command or connection.
When working with URLs in C#, encoding is essential to ensure that special characters (like spaces, ?, &, and =) don’t break the URL structure. The recommended way to encode a string for a URL is by using Uri.EscapeDataString(), which converts unsafe characters into their percent-encoded equivalents.
string rawText = "hello world!"; string encodedText = Uri.EscapeDataString(rawText); Console.WriteLine(encodedText); // Output: hello%20world%21
This method encodes spaces as %20, making it ideal for query parameters.
For ASP.NET applications, you can also use HttpUtility.UrlEncode() (from System.Web), which encodes spaces as +:
using System.Web; string encodedText = HttpUtility.UrlEncode("hello world!"); Console.WriteLine(encodedText); // Output: hello+world%21
For .NET Core and later, Uri.EscapeDataString() is the preferred choice.
Register for my free weekly newsletter.