用户名和密码验证 vb.net [英] username and password verification vb.net

问题描述

我下面的程序检查用户名和密码是否在数据库中(用visual basic编写并使用Access数据库).但是，该程序有效，当我在不同情况下输入用户名或密码时，它仍然有效.例如，如果我的数据库的用户名是john"，密码是johnspassword"，我的程序接受用户名是JOHN"，密码是JOHNSPASSWORD".

My program below checks if the userName and the password is in the database( written in visual basic and uses Access database). The program works however, when I type in the userName or password in a different case it still works. For example, if my database has the userName as "john" and the password as "johnspassword", my program accepts the username as "JOHN" and password as "JOHNSPASSWORD".

我该如何解决这个问题?

how do i resolve this problem?

Dim con As New OleDbConnection("Provider=Microsoft.jet.oledb.4.0;data source=C:\Users\jacob\Desktop\MS Office\project.mdb")
    Dim cmd As OleDbCommand = New OleDbCommand("SELECT * FROM tblUsers WHERE UserID = '" & txtUserName_Field.Text & "' AND userPassword = '" & txtUserPassword_Field.Text & "' ", con)
    con.Open()
    Dim sdr As OleDbDataReader = cmd.ExecuteReader()
    'If the record can be queried, it means passing verification, then open another form.
    Dim empty =
    Me.Controls.OfType(Of TextBox)().Where(Function(txt) txt.Text.Length = 0)
    If empty.Any Then
        MessageBox.Show(String.Format("Please fill in all the fields required"))
    Else
        If (sdr.Read() = True) Then
            MessageBox.Show("The is valid!")
            Form4.Show()
            Me.Hide()
        Else
            MessageBox.Show("Invalid name or password!")
        End If
    End If
    con.Close()
End Sub

推荐答案

如果您使用密码的散列代替，那么您解决了两个问题:

If you use a hash of the password instead then you solve two problems you have:

• 您不应将密码存储为纯文本
• 哈希将使密码区分大小写

Rfc2898DeriveBytes类适用于创建哈希；您还需要为每个用户在数据库中存储一个随机生成的盐.

The Rfc2898DeriveBytes Class is suitable for creating the hash; you'll need a randomly-generated salt stored in the database for each user too.

有很多网站，例如，Salted Password Hashing - Doing it Right，并附有说明为什么需要加盐和散列.

There are many sites, e.g., Salted Password Hashing - Doing it Right, with explanations of why salting and hashing are desirable.

您仍然需要决定是否需要区分大小写的用户名.

You will still have to decide if you need the username to be case-sensitive.

编辑

看来访问效率不高(即sargable) 方式进行区分大小写的比较，所以您可以简单地从数据库中获取用户名并在您的程序中检查它，如下所示:

It appears that Access doesn't have an efficient (i.e. sargable) way to do a case-sensitive comparison, so you can simply get the username from the database and check it in your program, something like this:

Option Infer On
Option Strict On

Imports System.Data.OleDb
Imports System.Security.Cryptography

Public Class SomeClass

    'TODO: decide on the sizes for the salt and hash
    'TODO: create binary fields in the database of appropriate sizes
    'TODO: consider storing the number of iterations in the database
    Const SALTLENGTH As Integer = 8
    Const HASHLENGTH As Integer = 16
    Const PBKDF2ITERATIONS As Integer = 20000

    Friend Function PBKDF2Hash(password As String, salt As Byte(), iterations As Integer, hashSize As Integer) As Byte()
        Dim hasher As New Rfc2898DeriveBytes(password, salt, iterations)
        Return hasher.GetBytes(hashSize)

    End Function

    Function IsLoginValid(username As String, password As String) As Boolean

        Dim salt(SALTLENGTH - 1) As Byte
        Dim hashedPassword(HASHLENGTH - 1) As Byte
        Dim usernameIsValid = False

        Dim csb As New OleDbConnectionStringBuilder With {
            .Provider = "Microsoft.jet.oledb.4.0",
            .DataSource = "C:\Users\jacob\Desktop\MS Office\project.mdb"
        }

        Using conn As New OleDbConnection(csb.ConnectionString)
            'TODO: use the actual column names
            Using cmd As New OleDbCommand("SELECT UserID, salt, password FROM tblUsers WHERE UserID = ?", conn)
                'TODO: use type of column as specified in the database
                cmd.Parameters.Add(New OleDbParameter With {.OleDbType = OleDbType.VarWChar, .Value = username})
                conn.Open()
                Dim rdr = cmd.ExecuteReader()
                If rdr.HasRows Then
                    rdr.Read()
                    If String.Compare(rdr.GetString(0), username, StringComparison.Ordinal) = 0 Then
                        rdr.GetBytes(1, 0, salt, 0, SALTLENGTH)
                        rdr.GetBytes(2, 0, hashedPassword, 0, HASHLENGTH)
                        usernameIsValid = True
                    End If
                End If

                conn.Close()
            End Using
        End Using

        Dim expectedHash = PBKDF2Hash(password, salt, PBKDF2ITERATIONS, HASHLENGTH)

        If usernameIsValid AndAlso hashedPassword.SequenceEqual(expectedHash) Then
            Return True
        End If

        Return False

    End Function

    Private Sub bnLogin_Click(sender As Object, e As EventArgs) Handles bnLogin.Click
        Dim username = txtUserName_Field.Text
        Dim password = txtUserPassword_Field.Text

        If username.Length = 0 OrElse password.Length = 0 Then
            MessageBox.Show("Please fill in all the fields required.")
            Exit Sub
        End If

        If IsLoginValid(username, password) Then
            ' user has supplied valid credentials
        Else
            MessageBox.Show("Invalid username or password.")
        End If

    End Sub

End Class

当然，您仍然需要创建代码，以便在用户注册时将适当的数据放入数据库中.

Of course, you still have to create the code to put the appropriate data in the database when the user is registered.

这篇关于用户名和密码验证 vb.net的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！