密码包含中的问题 [英] Prolem in password encraption

问题描述

当我使用时

When i am using

string EncraptedPassword = FormsAuthentication.HashPasswordForStoringInConfigFile(txtPassword.Text, "SHA1");

那么我的密码是加密并保存在sql数据库中，但问题是保存在sql server数据库表中的密码不是全长（意味着当我在asp.net中使用工具提示时，当时封装的密码长度较大但不是只保存一半数据库表中的密码长度）



当我要使用相同的HashPassword登录和封装密码.....

at那个时候没有登录，因为密码不匹配。



我尝试了什么：

then my password is encrypted and saved in sql database but problem is the password that is saved in sql server database table is not full length(means when i'm using tooltip in asp.net at that time encrapted password lenght is bigger but not it is saving only half of length password in database table)

when i'm going to login and encrapting password using same HashPassword.....
at that time it is not login because password is not matching.

What I have tried:

string uname = txtUsername.Text;
string pass = FormsAuthentication.HashPasswordForStoringInConfigFile(txtPassword.Text.Trim(), "SHA1");
            con.Open();
            string qry = "select * from tblUser where Email='" + uname + "' and Pasword='" + pass + "'";
            SqlCommand cmd = new SqlCommand(qry, con);
            SqlDataReader sdr = cmd.ExecuteReader();
            if (sdr.Read())
            {
                Response.Redirect("~/Home.aspx");
            }
            else
            {
                lblMeg.Visible = true;
            }

推荐答案

不要这样做。永远不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度，这可能会破坏您的整个数据库。改为使用参数化查询。



连接字符串时会导致问题，因为SQL会收到如下命令：

Don't do it like that. Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.

When you concatenate strings, you cause problems because SQL receives commands like:

SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'

就SQL而言，用户添加的引号会终止字符串，并且您会遇到问题。但情况可能更糟。如果我来并改为输入：x'; DROP TABLE MyTable; - 然后SQL收到一个非常不同的命令：

The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:

SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'

哪个SQL看作三个单独的命令：

Which SQL sees as three separate commands:

SELECT * FROM MyTable WHERE StreetAddress = 'x';

完全有效的SELECT

A perfectly valid SELECT

DROP TABLE MyTable;

完全有效的删除表格通讯和

A perfectly valid "delete the table" command

--'

其他一切都是评论。

所以它确实：选择任何匹配的行，从数据库中删除表，并忽略其他任何内容。



所以总是使用参数化查询！或者准备好经常从备份中恢复数据库。你定期做备份，不是吗？



这在登录系统中尤其重要，因为它们允许我在没有登录的情况下这样做，或绕过你的登录程序完全输入我的用户名

And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.

So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?

This is particularly important in login systems, because they allow me do do this without logging in, or to bypass your login procedure completely by entering my username as

admin';--

这意味着我不需要密码。

此外，您将密码存储为字符串，这是浪费且不必要的。

将其存储为VARBINARY列，直接发送散列值，以及何时检查，您使用userID通过参数化查询检索散列字节。然后你的C＃代码比较哈希并决定用户是否被授权。

Which means that I don't need a password.
In addition, you are storing the password as a string, which is wasteful and unnecessary.
Store it as a VARBINARY column, send the hashed value directly, and when you want to check, you use the userID to retrieve the hashed bytes via a parameterised query. Your C# code then compares the hashes and decides if the user is authorised.

首先，它是加密，而不是加密。好吧，除非你用文字垃圾包装密码。



哈希密码或其他任何东西都不加密。在您的情况下，您正在使用加密哈希，这是原始对象的数学表示，无法撤消。您无法解密哈希以获取原始值。



哈希并不意味着您将获得与原始对象相同的字节数。很可能你会获得与原始对象不同的字节数。



使用encyption，你可以恢复原始对象。不要使用普通文本或加密来存储密码！始终使用加密哈希并存储散列值。

First, it's "encryption", not "encraption". Well, unless your encasing passwords in literal "crap".

Hashing a password, or anything else, is not encrypting it. In your case, you're using a cryptographic hash, a mathematical representation of the original object that cannot be undone. You cannot decrypt a hash to get the original value back.

Hashing does not mean you're going to get the same number of bytes out as the original object. Chances are good that you're going to get a different number of bytes than the original object contained.

With "encyption", you can get the original object back. DO NOT USE PLAIN TEXT OR ENCRYPTION TO STORE PASSWORDS!! Always use a cryptographic hash and store the hashed value.

这篇关于密码包含中的问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！