如何在VB.NET中登录时将数据库中的加密密码与新输入的密码进行比较? [英] How to compare encrypted password in database with newly entered password during login in VB.NET?
问题描述
我正在进行注册和登录表单,当用户在注册阶段输入密码时我已经加密了密码。因此,对于登录,我知道我需要在登录期间将数据库中的加密密码与新输入的加密密码进行比较。我不知道我是否缺少一些代码或我写错了代码。我知道这个问题已被问过几次,但我希望我能在这里得到一些帮助。
这是登录按钮的代码
Im doing a registration and login form where I already encrypted the password when user entered the password in registration phase. So for login I know that I need to compare the encrypted password in database with the newly entered encrypted password during login. I dont know if im missing some code or im writing the wrong code. I know that this question have been asked few times but I hope I can get some help here.
Here is the code for login button
Private Sub SubmitButton4_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles SubmitButton4.Click
'Check if username or password is empty
If PasswordTextBox1.Text = "" Or UsernameTextBox2.Text = "" Then
MessageBox.Show("Please fill-up all fields!", "Authentication Error", MessageBoxButtons.OK, MessageBoxIcon.Error)
'Clear all fields
PasswordTextBox1.Text = ""
UsernameTextBox2.Text = ""
'Focus on Username field
UsernameTextBox2.Focus()
Else
'Connect to DB
Dim conn As New System.Data.OleDb.OleDbConnection()
conn.ConnectionString = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=" + "C:\Users\user1\Documents\Visual Studio 2010\Projects\Crypto\Crypto\crypto.accdb"
Try
'Open Database Connection
conn.Open()
Dim sql As String = "SELECT Password FROM registration WHERE Username='" & Encrypt(UsernameTextBox2.Text) & "'"
Dim cmd As OleDbCommand = New OleDbCommand(sql, conn)
Dim sqlRead As OleDbDataReader = cmd.ExecuteReader()
Dim password As String = cmd.ExecuteScalar().ToString().Replace("", "")
If (password = Encrypt(PasswordTextBox1.Text)) Then
PasswordTextBox1.Clear()
UsernameTextBox2.Clear()
'Focus on Username field
UsernameTextBox2.Focus()
Me.Hide()
Mainpage.Show()
Else
LoginAttempts = LoginAttempts + 1
If LoginAttempts >= 3 Then
End
Else
' If user enter wrong username or password
MessageBox.Show("Sorry, wrong username or password", "Authentication Failure", MessageBoxButtons.OK, MessageBoxIcon.Error)
'Clear all fields
PasswordTextBox1.Text = ""
UsernameTextBox2.Text = ""
'Focus on Username field
UsernameTextBox2.Focus()
End If
End If
Catch ex As Exception
MessageBox.Show("Failed to connect to Database", "Database Connection Error", MessageBoxButtons.OK, MessageBoxIcon.Error)
'Clear all fields
PasswordTextBox1.Text = ""
UsernameTextBox2.Text = ""
End Try
End If
End Sub
我尝试过:
我已经找到了解决方案 https://stackoverflow.com/questions/29032706/c-sharp-encrypted-login 并尝试按照代码但仍有错误。
What I have tried:
I already found the solution https://stackoverflow.com/questions/29032706/c-sharp-encrypted-login and try to follow the code but still, it have error.
推荐答案
不是那样的!永远不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度,这可能会破坏您的整个数据库。总是使用参数化查询。
连接字符串时会导致问题,因为SQL会收到如下命令:
Not like that! Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Always use Parameterized queries instead.
When you concatenate strings, you cause problems because SQL receives commands like:
SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'
就SQL而言,用户添加的引号会终止字符串,并且您会遇到问题。但情况可能更糟。如果我来并改为输入:x'; DROP TABLE MyTable; - 然后SQL收到一个非常不同的命令:
The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:
SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'
哪个SQL看作三个单独的命令:
Which SQL sees as three separate commands:
SELECT * FROM MyTable WHERE StreetAddress = 'x';
完全有效的SELECT
A perfectly valid SELECT
DROP TABLE MyTable;
完全有效的删除表格通讯和
A perfectly valid "delete the table" command
--'
其他一切都是评论。
所以它确实:选择任何匹配的行,从数据库中删除表,并忽略其他任何内容。
所以总是使用参数化查询!或者准备好经常从备份中恢复数据库。你定期做备份,不是吗?
看看这里:密码存储:如何做到这一点。 [ ^ ] - 代码在C#中,但它非常明显,如果你真的可以,它可以转换它不明白:代码转换器C#到VB和VB到C# - Telerik [ ^ ]
请记住:如果这是基于网络的,你有任何欧洲然后联盟用户应用GDPR,这意味着您需要将密码作为敏感数据处理并以安全可靠的方式存储它们。文字不是那些,罚款可以......呃......非常好。 2018年12月,一家德国公司收到相对较低的罚款20,000欧元。
And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.
So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?
Have a look here: Password Storage: How to do it.[^] - the code is in C# but it's pretty obvious, and this can convert it if you really can't understand: Code Converter C# to VB and VB to C# – Telerik[^]
And remember: if this is web based and you have any European Union users then GDPR applies and that means you need to handle passwords as sensitive data and store them in a safe and secure manner. Text is neither of those and the fines can be .... um ... outstanding. In December 2018 a German company received a relatively low fine of €20,000 for just that.
这篇关于如何在VB.NET中登录时将数据库中的加密密码与新输入的密码进行比较?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!