删除存储为数据库中散列的组合框项目c# [英] Remove combo box items that stored as hashed in the database c#
问题描述
我有一个关于在数据库中验证散列文本的问题。现在,已经在数据库中注册的UserType被哈希,如下图所示:
我希望在管理员文本存储为数据库,程序将验证散列并检查验证是否为管理员文本。如果是,那么它将简单地删除组合框列表中的管理员文本。
我通过Hash将UserType存储到数据库的原因是我限制了其他用户类型以获得对系统的完全访问权限,并防止黑客一旦找到它就将数据库中的用户类型更改为管理员(如果我仅通过纯文本存储)。
<上面的图片显示UserType已被哈希,并且被哈希的文本是UserType的管理员。
现在,我添加并存储散列的UserType到这样的数据库:
public static void AddDatabase(string _selectedIndex)
{
using(OleDbConnection connection = new OleDbConnection(connectionString))
{
string query =INSERT INTO [Member]([UserType])VALUE S(@UserType);
connection.Open();
_hashedType = BCrypt.CreateHash(_selectedIndex,BCrypt.GenerateSalt(12));
using(OleDbCommand command = new OleDbCommand(query,connection))
{
command.Parameters.Add(@ UserType,OleDbType.VarChar);
command.Parameters [@ UserType]。Value = _hashedType;
command.ExecuteNonQuery();
}
connection.Close();
void button2_Click(object sender,EventArgs e)
{
SystemManager.AddDatabase(this.comboBox1.Text);
}
无效Registration_Load(object sender,EventArgs e)
{
if(SystemManager.CheckType(Administrator)!= true)
{
this.comboBox1.Items.Add(Administrator);
}
this.comboBox1.Items.Add(Member);
this.comboBox1.SelectedIndex = 0;
}
为了验证它,我像下面的代码一样使用它。但是,一旦我运行该程序,一切都变成空的(组合框下拉列表不显示任何东西(空文本),如下图):
使用(OleDbConnection连接=新的OleDbConnection(SystemManager.connectionString))
{
字符串查询=SELECT COUNT($)$ b $ Checkout(字符串_value1) *)FROM [Member] WHERE [UserType] = @UserType;
connection.Open();
using(OleDbCommand command = new OleDbCommand(query,connection))
{
command.Parameters.Add(@ UserType,OleDbType.VarChar);
command.Parameters [@ UserType]。Value = BCrypt.ValidateHash(_value1,_hashedType);
_count =(int)command.ExecuteScalar();
connection.Close();
}
}
return _count> 0;
}
非常感谢!
我真的很感谢你的回答
您显示的代码包括无条件地将字符串Member添加到您的ComboBox中,然后确定该方法根本没有被调用,或者稍后某些代码正在清除ComboBox。您没有向其他人发布足够完整的样本以了解哪个是正确答案,因此您必须自己调试。第二,我质疑使用哈希值的整个策略,以确保不会有人改变值。如果他们有权访问数据库并可以修改其元素,则他们拥有他们所需的一切。散列敏感信息仅在您可以假设存储的散列本身不能被修改并且您想要其他人提供只有他们知道的某些数据(例如密码)时才有用,以便您可以散列该数据并对其进行比较到存储的散列。当然,这只有在使用安全散列时才有效。
如果我是攻击者而没有salt,并且我有权访问数据库,并且想要更改一个用户的类型不同,我所需要做的就是将我在其他想要更改它的同一类型的其他用户中找到的值复制。在这里你可以用salt,但即使这样做也没有帮助,如果攻击者知道使用的盐和散列算法(这里提供的两条信息);我可以随意从头开始生成哈希。
如果您希望数据库可以安全地应对更改,您不需要让攻击者首先更改它。
p>I have a question regarding the validate a hashed text in the database. Right now, UserType that has been registered in the database is hashed like the image below:
I want it to when there is an Administrator text that is stored as hash in the database, the program will validate the hash and check if the validation is an Administrator text. If yes, then it will simply remove the Administrator text in the combo box list.
The reason why I stored the UserType to the database by Hash, is I am restrict the other UserType to gain full access to the system and to prevent the hacker to change the UserType to the other than Administrator (if I store it by the plain text only) in the database once they found it.
The image above shows that UserType has been hashed, and the text that is hashed is Administrator for the UserType.
Right now, I am add and store the hashed UserType to the database like this:
public static void AddDatabase(string _selectedIndex)
{
using (OleDbConnection connection = new OleDbConnection(connectionString))
{
string query = "INSERT INTO [Member] ([UserType]) VALUES (@UserType)";
connection.Open();
_hashedType = BCrypt.CreateHash(_selectedIndex, BCrypt.GenerateSalt(12));
using (OleDbCommand command = new OleDbCommand(query, connection))
{
command.Parameters.Add("@UserType", OleDbType.VarChar);
command.Parameters["@UserType"].Value = _hashedType;
command.ExecuteNonQuery();
}
connection.Close();
}
}
void button2_Click(object sender, EventArgs e)
{
SystemManager.AddDatabase(this.comboBox1.Text);
}
void Registration_Load(object sender, EventArgs e)
{
if (SystemManager.CheckType("Administrator") != true)
{
this.comboBox1.Items.Add("Administrator");
}
this.comboBox1.Items.Add("Member");
this.comboBox1.SelectedIndex = 0;
}
To validate it, I am using it like the code below. But, once I run the program, everything become empty (the combo box drop down list not shows anything (empty text) like image below):
public static bool CheckType(string _value1)
{
using (OleDbConnection connection = new OleDbConnection(SystemManager.connectionString))
{
string query = "SELECT COUNT(*) FROM [Member] WHERE [UserType] = @UserType";
connection.Open();
using (OleDbCommand command = new OleDbCommand(query, connection))
{
command.Parameters.Add("@UserType", OleDbType.VarChar);
command.Parameters["@UserType"].Value = BCrypt.ValidateHash(_value1, _hashedType);
_count = (int)command.ExecuteScalar();
connection.Close();
}
}
return _count > 0;
}
Thank you very much!
I really appreciate your answer
Two things:
First, since the code you show includes an unconditional add of the string "Member" to your ComboBox, then it is certain either that method is not being called at all, or that some code later is clearing the ComboBox. You didn't post a complete enough sample for anyone else to know which is the correct answer, so you'll have to debug that yourself. Start by putting a breakpoint on the method to determine whether it's being called at all.
Second, I question this whole strategy of using a hashed value to ensure against someone changing the value. If they have access to the database and can modify its elements, they have everything they need. Hashing sensitive information is only useful when you can assume that the stored hash itself cannot be modified and you want to require someone else to provide some data (such as a password) which only they know, so that you can hash that data and compare it to the stored hash. And of course this only works when using a secure hash.
Without salt, if I'm an attacker, and I have access to the database, and I want to change one user's type to something different, all I need to do is copy the value I find in some other user of the same type that I want to change it to. Here you salt, but even that doesn't help, if as the attacker I'm aware of the salt being used and the hash algorithm (both pieces of information you've provided here); I can just generate the hash from scratch at will.
If you want the database secure against changes, you need to not let attackers change it in the first place.
这篇关于删除存储为数据库中散列的组合框项目c#的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
