随机密码创建和发送电子邮件的问题 [英] problem to random password create and send email

问题描述

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.SqlClient;
using System.Net.Mail;

public partial class _Default : System.Web.UI.Page
    {
    string combine;
    Random r1 = new Random();

    SqlConnection con = new SqlConnection("server=DIPESH-PC\\SQLEXPRESS;uid=sa;pwd=rerf;database=E-REGISTRATION");
    protected void Page_Load(object sender, EventArgs e)
    {

        Label21.Text = Session["s1"].ToString();
        if (!Page.IsPostBack)
        {
            for (int i = 2012; i <=System.DateTime.Now.Year; i++)
            {
                DropDownList1.Items.Add(i.ToString());
            }
        }
       
         combine = TextBox5.Text.ToString() + "@" + DropDownList3.SelectedItem.Text.ToString();
    }
   
    protected void ImageButton1_Click(object sender, ImageClickEventArgs e)
    {
        con.Open();
        string s2 = Convert.ToString(r1.ToString());
        SqlCommand cmd = new SqlCommand("insert into std_admin values('" + DropDownList1.Text + "','" + TextBox1.Text + "','" + TextBox2.Text + "','" + TextBox3.Text + "','" + TextBox4.Text + "','" + DropDownList2.Text + "','" + combine.ToString() + "','" + TextBox6.Text + "')", con);
        cmd.ExecuteNonQuery();
        MailMessage mailMessage = new MailMessage(new MailAddress("raj.bhattacharya7@gmail.com")
                                        , new MailAddress(combine.ToString()));
        mailMessage.Subject = "Welcome To Regent Education & Research Foundation";
        mailMessage.IsBodyHtml = true;
        mailMessage.Body = "Email Id :-" + combine.ToString() + "Password :-" + s2.ToString(); 

        System.Net.NetworkCredential networkCredentials = new
        System.Net.NetworkCredential("raj.bhattacharya78@gmail.com", "1234567890");

        SmtpClient smtpClient = new SmtpClient();
        smtpClient.EnableSsl = true;
        smtpClient.UseDefaultCredentials = false;
        smtpClient.Credentials = networkCredentials;
        smtpClient.Host = "smtp.gmail.com";
        smtpClient.Port = 587;
        smtpClient.Send(mailMessage);
        con.Close();
        Label22.Text = "Jeca Rank  :"+TextBox1.Text+"  Data Inserted Succesfully on  "+System.DateTime.Now.ToShortDateString();
    }
    
}

推荐答案

坦率地说，什么是漂亮的 从那段代码中可以清楚地看出你对自己在做什么并没有多想......



例如：

Quite frankly, what is pretty clear from that code is that you haven't thought much about what you are doing...

For example:

string s2 = Convert.ToString(r1.ToString());

您期望 Convert.ToString 对一个已经是字符串的项目有什么影响，并且不能是任何东西因为你已经在一个对象上调用了ToString？这就像拿一张钞票，翻了两遍，并期待它是一个不同的面额...

而且......这是你问题的一部分。



您在上面声明 r1 ：

What possible effect do you expect Convert.ToString to have on an item which is already a string, and can't be anything else since you have called ToString on a object already? That is like taking a bank note, turning it over twice and expecting it to be a different denomination...
And...it's part of your problem.

You declare r1 above:

Random r1 = new Random();

那么你期望ToString为 Random 对象返回什么？它不会返回随机值，因为它不知道您想要的值范围。它返回类的名称：

so what do you expect ToString to return for a Random object? It doesn't return a random value, because it has no idea what range of values you will want. It returns the name of the class:

System.Random

使用随机数作为密码在最好的时候是愚蠢的：如果你想让用户把它改成他能记住的东西，那么给他发一个GUID：

Using a "random number" as a password is silly at the best of times: if you want the user to change it to something he can remember, then send him a GUID:

string s2 = Guid.NewGuid().ToString();

他赢了;我想每次输入tthat！



但你的其余代码都是混乱的/>
1）由于SQL INjection攻击，它对数据库损坏持开放态度：不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度，这可能会破坏您的整个数据库。改为使用参数化查询。

2）它没有列出你想要输入值的字段，所以它完全取决于你不改变任何列顺序：

He won;t want to type tthat in each time!

But the rest of your code is as muddled
1) It's wide open to database damage due to SQL INjection attacks: Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
2) It doesn't list the fields you want to put the values into, so it is completely dependant on you not changing any column orders:

INSERT INTO std_admin (id, username, ...) VALUES (....

3）它使用控件的标准VS名称 - 这只是懒惰而且会当你回来时咬你，不记得哪个应该保留什么价值。

4）这是一个重大的安全风险。切勿以明文形式存储密码 - 这是一个主要的安全风险。有关如何在此处执行此操作的信息：密码存储：如何做到这一点。 [ ^ ]

5）您的连接字符串是硬编码的，所以当您移动到生产服务器时，它突然赢了;不再工作了。使用配置设置！

3) It uses standard VS names for controls - which is just lazy and will bite you when you come back and can't remember which is supposed to hold what value.
4) It is a major security risk. Never store passwords in clear text - it is a major security risk. There is some information on how to do it here: Password Storage: How to do it.[^]
5) Your connection string is hardcoded, so when you move to a production server it suddenly won;t work at all any more. Use configuration settings!

这篇关于随机密码创建和发送电子邮件的问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！