插入数据库时散列加密密码 [英] Hash encrypting password when inserting into database
问题描述
我正在为学校申请,在将密码插入我的用户数据库时,我需要帮助加密密码.我正在使用 c# 编程语言进行编程,我正在使用 MS server 2008 R2 来操作我的数据库.我正在考虑进行 HASH 加密,如果有人帮助我,我会很高兴.
I'm doing an application for school and I'm in need of help in encrypting passwords when inserting them into my users database.I'm programming in c# programming language and i'm using MS server 2008 R2 for manipulating my database. I'm thinking of doing a HASH encryption and I would love if someone helped me out.
这是我将数据插入数据库的代码:
Here's my code for inserting data into database :
using (SqlConnection con = new SqlConnection("Data Source=HRC0;Initial Catalog=users;Integrated Security=True")) //MLHIDE
using (SqlCommand sc = new SqlCommand("if NOT exists (select * from users where UserName = @username) insert into users (userName, password) values(@userName, @password)", con))
{
con.Open();
sc.Parameters.AddWithValue("@username", korisnik.Text);
sc.Parameters.AddWithValue("@password", pass.Text);
int o = sc.ExecuteNonQuery();
if (o == -1)
{
MessageBox.Show(Ulaz.Properties.Resources.Niste_ubačeni_u_bazi_korisničk);
this.Hide();
new Registracija().Show();
}
else
{
MessageBox.Show(Ulaz.Properties.Resources.Ubačeni_ste_u_bazi);
con.Close();
this.Hide();
new Form1().Show();
}
这是我的登录检查代码:
and here's my code for login check :
SqlConnection con = new SqlConnection("Data Source=HRC0;Initial Catalog=users;Integrated Security=True");
SqlCommand cmd = new SqlCommand("select * from users where userName='" + user.Text + "' and password='" + pass.Text + "'", con); //MLHIDE
con.Open();
SqlDataReader re = cmd.ExecuteReader();
if (re.Read())
{
ImeUsera = user.Text;
new UserMode().Show();
this.Hide();
}
else
{
this.Hide();
new LoginFail().Show();
}
}
我使用了一些多语言插件,因此他将我的字符串转换为 ''Ulaz.Properties.Resources.'' 和类似的.
I used some Multi-Language add-on so he converted my strings into ''Ulaz.Properties.Resources.'' and simmilar.
推荐答案
要散列文本字符串,您可以使用这样的函数
To hash a string of text you could use a function like this
private string GetHashedText(string inputData)
{
byte[] tmpSource;
byte[] tmpData;
tmpSource = ASCIIEncoding.ASCII.GetBytes(inputData);
tmpData = new MD5CryptoServiceProvider().ComputeHash(tmpSource);
return Convert.ToBase64String(tmpData);
}
并应用于您的用户输入.然后将结果存储在数据库中.登录时,您将哈希函数重新应用于输入的密码,并根据存储的值检查结果.
and apply to your user input. Then store the result in the database. At login you reapply the hash function to the typed password and check the result against the stored value.
所以在你的插入代码中你写
So in your insert code you write
sc.Parameters.AddWithValue("@password", GetHashedText(pass.Text));
在你的支票上
....
SqlCommand cmd = new SqlCommand("select * from users where userName=@user and password=@pass", con);
con.Open();
cmd.Parameters.AddWithValue("@user",user.Text);
cmd.Parameters.AddWithValue("@pass", GetHashedText(pass.Text));
SqlDataReader re = cmd.ExecuteReader();
if (re.Read())
.....
请记住,哈希是不可逆的,因此您无法从哈希文本中检索原始密码.您将 Hash 函数应用于您的文本并将其存储为 base64 字符串.如果您的用户忘记了密码,您需要将其重置为已知值.没办法告诉他原来的密码.
Remember that Hashing is not reversible, so you cannot retrieve the original password from the hashed text. You apply the Hash function to your text and store it as a base64 string. If your user forgets the password, you need to reset it to a known value. There is no way to tell him the original password.
顺便问一下,为什么在你的检查中你不像在插入代码中那样使用参数?永远不要使用字符串连接来构建 sql 查询.即使你急于完成工作
By the way, why in your check you don't use parameters as you do in the insert code? Never use string concatenation to build sql queries. Even if you're in a hurry to finish the job
这篇关于插入数据库时散列加密密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
