分享程序员开发的那些事...
更新时间:2023-12-03 14:54:52
首先,密码永远不会存储在任何地方.您没有看到密码存储错误并且完全不安全吗?
您永远不需要原始身份验证的密码.常用且简单的技术之一是使用密码的加密散列函数.您仅将密码哈希存储在数据库中,每次用户尝试进行身份验证时都根据用户输入来计算密码哈希,并将新计算的哈希值与数据库中存储的哈希值进行比较.一个好的哈希函数实际上是不可行的,因此,即使拥有对数据库的完全访问权限,也没有人可以计算出原始密码.
请参阅:
http://en.wikipedia.org/wiki/Cryptographic_hash_function [ http://en.wikipedia.org/wiki/MD5 [ http://en.wikipedia.org/wiki/SHA2 [ http://msdn.microsoft.com/en-us/library/system. security.cryptography.hashalgorithm.aspx [ ^ ].
如果只想在.NET中执行加密哈希函数的计算,则意味着仅在服务器端,这意味着原始密码仍应通过网络传递,以便间谍可以将其获取.因此,保存身份验证应仅使用安全的HTTPS协议,而不能使用HTTP.
请参阅:
http://en.wikipedia.org/wiki/HTTPS [
First of all, the password is never stored anywhere. Don''t you see that storing of the password is wrong and totally insecure?
You never need a password in its original form authentication. One of the usual and simple techniques is using a cryptographic hash function of a password. You store only a password hash in your database, calculate a password hash based on the user input each time the user tries to authenticate, and compared newly calculated hash value with the hash value stored in your database. A good hash function is practically infeasible to invert, so no one can calculate the original password even having the full access to the database.
Please see:
http://en.wikipedia.org/wiki/Cryptographic_hash_function[^].
Don''t use MD5 for any security: this algorithm is considered broken, please see:
http://en.wikipedia.org/wiki/MD5[^].
Instead, you can use one of the Secure Hash Algorithms (SHA):
http://en.wikipedia.org/wiki/SHA2[^].
The classes implementing those algorithm are available in .NET:
http://msdn.microsoft.com/en-us/library/system.security.cryptography.hashalgorithm.aspx[^].
If you want to perform calculation of the cryptographic hash function in .NET only, it means on server side only, it means that the original password should still be passed through the network, so a spy can pick it up. Therefore, save authentication should only use secure HTTPS protocol, not HTTP.
Please see:
http://en.wikipedia.org/wiki/HTTPS[^].—SA
首先,您应验证输入的用户名&密码不为空或为空.然后执行下一个任务:
我认为您有一个用于SQLConnection的通用类:
例如ConnectionManager.cs或DBConnection.
如果您还没有创建这样的类..
First you should validate your entered username & password is not blank or null.Then the next task:
I think you have a common class for SQLConnection:
Such as ConnectionManager.cs or DBConnection.
If you have not create a class like this..
public class DBConnection
{
public static SqlConnection GetConnection()
{
// retrive Connection string from Appconfig file
return SqlConnection conn = new sqlConnection(ConfigurationManager.ConnectionString["MyConn"].ConnectionString);
}
public static bool CheckLogin(string UserName,string UserPass)
{
string selectString =
"SELECT username, password " +
"FROM forum_members " +
"WHERE username = '" + UserName + "' AND password = '" + UserPass + "'";
var conn=GetConnection();
SqlCommand mySqlCommand = new MySqlCommand(selectString, conn);
conn.Open();
String strResult = String.Empty;
strResult = (String)SqlCommand.ExecuteScalar();
conn.Close();
if(strResult.Length == 0)
return false;
else return true
}
}
您可以在没有Appconfig的情况下获得连接
You can get Connection without Appconfig
public static SqlConnection GetConnection()
{
//You can retrive Connection string from Appconfig file
return SqlConnection conn = new SqlConnection("Data Source=Servername;Initial Catalog=Marketing;Integrated Security=SSPI");
}
在loginForm中像这样使用
In loginForm Use like this
private void loginbtn_Click(object sender, EventArgs e)
{
if(DBConnection.CheckLogin(txtUserName.Text.Trim(),txtUserPass.Text.Trim())
{
MessegeBox.Show("Login Successfully");
}
else{
MesseBox.Show("User is not exist or wrong password");
txtUserName.Focus();
}
}
我想你有答案.
I think you have your answer.