使用SHA1在Sql Server 2008上加密密码 [英] Encrypt passwords on Sql Server 2008 using SHA1
问题描述
我设计了一个登录系统,使用C#,在加载主页之前,在SQL Server 2008中检查用户名和密码。我想加密数据库上存储的密码。是否可以使用C#和SHA1算法?
以下是我的存储过程:
ALTER程序[dbo]。[proc_UserLogin]
@userid varchar(20),
@password nvarchar(50)
As
声明
@ReturnVal varchar(500)
SET NOCOUNT ON
如果存在(从loginManager中选择userid,密码,userid = @ userid和密码= @ password)
set @ ReturnVal ='0 |成功登录'
else
set @ ReturnVal ='1 |登录失败/用户名不存在'
选择@ReturnVal
C#代码
public void button1_Click(object sender,EventArgs e)
{
mainform = new Form1();
string [] v;
OleDbConnection conn = new OleDbConnection(File Name = E:\\Vivek\\\License Manager\\License Manager\\login.udl);
try
{
conn.Open();
string query =EXEC dbo.proc_UserLogin'+ username.Text +','+ password.Text +';
OleDbCommand cmd = new OleDbCommand(query,conn);
string s = Convert.ToString(cmd.ExecuteScalar());
v = s.Split('|');
if(v [0] ==0)
{
mainform.Show();
this.Hide();
}
else
{
MessageBox.Show(请输入正确的用户凭证并重试);
}
}
catch(Exception ex)
{
MessageBox.Show(ex.Message);
}
conn.Close();
}
我已经经历了其他用户在这里提出的类似问题,但他们不为我工作。任何人都可以建议修改代码,以便密码加密可以实现?
谢谢
https://crackstation.net/hashing- security.htm
https://www.bentasker.co.uk/blog/security/201-why-you-should-be-asking-如何存储密码
正如我在评论中所说,散列密码是您可能不应该做的事情。 / p>
需要注意的几件事:
- SHA1不推荐用于密码
-
- 密码应该是咸的
- 你应该我们ea验证用户库框架,而不是尝试创建自己的框架,因为您可能会做错
- 我确定还有更多的
正如所述,为了完成你的具体问题,你会想要这样的:
用户
----
userId
passwordHashed
passwordHashed存储用户密码的散列版本(纯文本密码永远不会存储在持久性的任何地方。)
用于检查有效密码这样做:
ALTER程序[dbo]。[proc_UserLogin]
@userid varchar(20) ,
@password nvarchar(50)
As
声明
@ReturnVal varchar(500)
SET NOCOUNT ON
如果存在(select userid,password from LoginManager where userid = @ userid and password = HASHBYTES('SHA1',@password))
set @ ReturnVal ='0 | L
else
set @ ReturnVal ='1 |登录失败/用户名不存在'
选择@ReturnVal
为了插入/更新用户密码,您需要确保将散列密码存储为不是纯文本密码;
INSERT INTO用户(userId,passwordHashed)
VALUES(@userId,HASHBYTES('SHA1',@rawPassword)
或
UPDATE用户
SET passwordHased = HASHBYTES('SHA1',@rawPassword)
WHERE userId = @userId
编辑:
只是意识到你在问如何在C#中完成哈希,而不是SQL。您可以执行以下操作(取自使用SHA1算法在C#中进行散列 ):
public string Hash(byte [] temp)
{
using(SHA1Managed sha1 = new SHA1Managed())
{
var hash = sha1.ComputeHash(temp);
return Convert.ToBase64String(hash);
}
}
您的代码剪辑可能是:
conn.Open();
string query =EXEC dbo.proc_UserLogin'+ username.Text +','+ this.Hash(System.Text.Encoding.UTF8.GetBytes(password.Text))+';
OleDbCommand cmd = new OleDbCommand(query,conn);
您还应该注意,您应该将参数设置为存储过程,而不是以这种方式传递你是 - 它看起来像已经有一个单独的问题。
I have designed a Log In System using C# where the username and password is checked in SQL server 2008 before loading the main page. I wish to encrypt the stored password on the database. Is it possible to do it using C# and SHA1 algorithm?
Following is my stored procedure:
ALTER procedure [dbo].[proc_UserLogin]
@userid varchar(20),
@password nvarchar(50)
As
declare
@ReturnVal varchar(500)
SET NOCOUNT ON
if exists(select userid,password from LoginManager where userid=@userid and password=@password)
set @ReturnVal='0|Logged in Successfully'
else
set @ReturnVal='1|Login Failed/Username does not exist'
select @ReturnVal
C# Code
public void button1_Click(object sender, EventArgs e)
{
mainform = new Form1();
string[] v;
OleDbConnection conn = new OleDbConnection("File Name=E:\\Vivek\\License Manager\\License Manager\\login.udl");
try
{
conn.Open();
string query = "EXEC dbo.proc_UserLogin'" + username.Text+ "', '" + password.Text+"'";
OleDbCommand cmd = new OleDbCommand(query, conn);
string s = Convert.ToString(cmd.ExecuteScalar());
v= s.Split('|');
if (v[0]=="0")
{
mainform.Show();
this.Hide();
}
else
{
MessageBox.Show("Please enter correct user credentials and try again");
}
}
catch (Exception ex)
{
MessageBox.Show(ex.Message);
}
conn.Close();
}
I have gone through similar questions asked by other users here, but they were not working for me. Can anyone suggest changes to the code, so that password encryption can be accomplished?
Thanks
https://crackstation.net/hashing-security.htm
https://www.bentasker.co.uk/blog/security/201-why-you-should-be-asking-how-your-passwords-are-stored
As I stated in my comments, hashing passwords is something that you probably shouldn't be doing yourself.
A few things to note:
- SHA1 is not recommended for passwords
- Passwords should be salted
- You should use a verified userstore framework rather than attempting to create your own, as you will likely "do it wrong"
- I'm sure there are many more
That being said, to accomplish your specific question, you would want something like this:
Users
----
userId
passwordHashed
passwordHashed stores a hashed version of the user's password (the plain text password is never stored anywhere in persistence.)
for checking for valid password something like this is done:
ALTER procedure [dbo].[proc_UserLogin]
@userid varchar(20),
@password nvarchar(50)
As
declare
@ReturnVal varchar(500)
SET NOCOUNT ON
if exists(select userid,password from LoginManager where userid=@userid and password=HASHBYTES('SHA1', @password))
set @ReturnVal='0|Logged in Successfully'
else
set @ReturnVal='1|Login Failed/Username does not exist'
select @ReturnVal
For inserting/updating user passwords, you need to make sure to store the hashed password not the plain text password, as such;
INSERT INTO users(userId, passwordHashed)
VALUES (@userId, HASHBYTES('SHA1', @rawPassword)
or
UPDATE users
SET passwordHased = HASHBYTES('SHA1', @rawPassword)
WHERE userId = @userId
EDIT:
just realized you're asking how to accomplish the hash in C#, not SQL. You could perform the following (taken from Hashing with SHA1 Algorithm in C#):
public string Hash(byte [] temp)
{
using (SHA1Managed sha1 = new SHA1Managed())
{
var hash = sha1.ComputeHash(temp);
return Convert.ToBase64String(hash);
}
}
Your code snip could be:
conn.Open();
string query = "EXEC dbo.proc_UserLogin'" + username.Text+ "', '" + this.Hash(System.Text.Encoding.UTF8.GetBytes(password.Text))+"'";
OleDbCommand cmd = new OleDbCommand(query, conn);
You should also note that you should parameterize your parameters to your stored procedure rather than passing them in the manner you are - which it looks like you already have a separate question in regarding that.
这篇关于使用SHA1在Sql Server 2008上加密密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
