如何在VB.NET中登录时将数据库中的加密密码与新输入的密码进行比较？ [英] How to compare encrypted password in database with newly entered password during login in VB.NET?

问题描述

我正在进行注册和登录表单，当用户在注册阶段输入密码时我已经加密了密码。因此，对于登录，我知道我需要在登录期间将数据库中的加密密码与新输入的加密密码进行比较。我不知道我是否缺少一些代码或我写错了代码。我知道这个问题已被问过几次，但我希望我能在这里得到一些帮助。



这是登录按钮的代码

Im doing a registration and login form where I already encrypted the password when user entered the password in registration phase. So for login I know that I need to compare the encrypted password in database with the newly entered encrypted password during login. I dont know if im missing some code or im writing the wrong code. I know that this question have been asked few times but I hope I can get some help here.

Here is the code for login button

Private Sub SubmitButton4_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles SubmitButton4.Click
        'Check if username or password is empty
        If PasswordTextBox1.Text = "" Or UsernameTextBox2.Text = "" Then
            MessageBox.Show("Please fill-up all fields!", "Authentication Error", MessageBoxButtons.OK, MessageBoxIcon.Error)

            'Clear all fields
            PasswordTextBox1.Text = ""
            UsernameTextBox2.Text = ""

            'Focus on Username field
            UsernameTextBox2.Focus()

        Else
            'Connect to DB
            Dim conn As New System.Data.OleDb.OleDbConnection()
            conn.ConnectionString = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=" + "C:\Users\user1\Documents\Visual Studio 2010\Projects\Crypto\Crypto\crypto.accdb"

            Try
                'Open Database Connection
                conn.Open()

                Dim sql As String = "SELECT Password FROM registration WHERE Username='" & Encrypt(UsernameTextBox2.Text) & "'"

                Dim cmd As OleDbCommand = New OleDbCommand(sql, conn)
                Dim sqlRead As OleDbDataReader = cmd.ExecuteReader()
                Dim password As String = cmd.ExecuteScalar().ToString().Replace("", "")

                If (password = Encrypt(PasswordTextBox1.Text)) Then

                    PasswordTextBox1.Clear()
                    UsernameTextBox2.Clear()

                    'Focus on Username field
                    UsernameTextBox2.Focus()
                    Me.Hide()
                    Mainpage.Show()
                Else
                    LoginAttempts = LoginAttempts + 1
                    If LoginAttempts >= 3 Then
                        End
                    Else
                        ' If user enter wrong username or password
                        MessageBox.Show("Sorry, wrong username or password", "Authentication Failure", MessageBoxButtons.OK, MessageBoxIcon.Error)

                        'Clear all fields
                        PasswordTextBox1.Text = ""
                        UsernameTextBox2.Text = ""

                        'Focus on Username field
                        UsernameTextBox2.Focus()
                    End If
                End If
            Catch ex As Exception
                MessageBox.Show("Failed to connect to Database", "Database Connection Error", MessageBoxButtons.OK, MessageBoxIcon.Error)
                'Clear all fields
                PasswordTextBox1.Text = ""
                UsernameTextBox2.Text = ""
            End Try
        End If

    End Sub

我尝试过：



我已经找到了解决方案 https://stackoverflow.com/questions/29032706/c-sharp-encrypted-login 并尝试按照代码但仍有错误。

What I have tried:

I already found the solution https://stackoverflow.com/questions/29032706/c-sharp-encrypted-login and try to follow the code but still, it have error.

推荐答案

不是那样的！永远不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度，这可能会破坏您的整个数据库。总是使用参数化查询。



连接字符串时会导致问题，因为SQL会收到如下命令：

Not like that! Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Always use Parameterized queries instead.

When you concatenate strings, you cause problems because SQL receives commands like:

SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'

就SQL而言，用户添加的引号会终止字符串，并且您会遇到问题。但情况可能更糟。如果我来并改为输入：x'; DROP TABLE MyTable; - 然后SQL收到一个非常不同的命令：

The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:

SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'

哪个SQL看作三个单独的命令：

Which SQL sees as three separate commands:

SELECT * FROM MyTable WHERE StreetAddress = 'x';

完全有效的SELECT

A perfectly valid SELECT

DROP TABLE MyTable;

完全有效的删除表格通讯和

A perfectly valid "delete the table" command

--'

其他一切都是评论。

所以它确实：选择任何匹配的行，从数据库中删除表，并忽略其他任何内容。



所以总是使用参数化查询！或者准备好经常从备份中恢复数据库。你定期做备份，不是吗？



看看这里：密码存储：如何做到这一点。 [ ^ ] - 代码在C＃中，但它非常明显，如果你真的可以，它可以转换它不明白：代码转换器C＃到VB和VB到C＃ - Telerik [ ^ ]



请记住：如果这是基于网络的，你有任何欧洲然后联盟用户应用GDPR，这意味着您需要将密码作为敏感数据处理并以安全可靠的方式存储它们。文字不是那些，罚款可以......呃......非常好。 2018年12月，一家德国公司收到相对较低的罚款20,000欧元。

And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.

So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?

Have a look here: Password Storage: How to do it.[^] - the code is in C# but it's pretty obvious, and this can convert it if you really can't understand: Code Converter C# to VB and VB to C# – Telerik[^]

And remember: if this is web based and you have any European Union users then GDPR applies and that means you need to handle passwords as sensitive data and store them in a safe and secure manner. Text is neither of those and the fines can be .... um ... outstanding. In December 2018 a German company received a relatively low fine of €20,000 for just that.

这篇关于如何在VB.NET中登录时将数据库中的加密密码与新输入的密码进行比较？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！