如何使用vb.net更改SQL Server 12数据库中的密码。 [英] How do I changing password in SQL server 12 database using vb.net.

问题描述

向所有人致意，



我正在努力更改密码（更新），我对此表格的假设是：



1.员工可以更改他/她的密码。

2.他们可以更改他们的安全问题和答案（安全答案是可选的，如果他们提供，那么我必须更新问题和答案。）



根据用户的输入，我需要更改用户的详细信息（但是，当用户提交详细信息时，必须更改密码字段。）



我面临的问题：



编译器显示没有错误但是数据库是代码执行后没有更新。



请告诉我错误的地方。



谢谢提前



我的尝试：

Greetings to all,

I am working on changing a password (updating), Well my assumptions for this form are:

1. Staff can change his/her password.
2. They can change their security question and answer (Security answer is optional, if they provides then I have to update both question and answer.)

Depending upon the user's input I need to change the details of user (However, password field has to be changed when the user submits the details.)

Problem that I am facing:

The compiler is showing no error however the database is not updated after the execution of code.

Please let me know where I have mistaken.

Thanks in advance

What I have tried:

Private Sub btnChange_Click(sender As Object, e As EventArgs) Handles btnChange.Click
        '   THIS CODE IS FOR CHANGING THE PASSWORD
        Try
            con.Open()
            cmd = New SqlClient.SqlCommand("SELECT * FROM Login WHERE Userid = '" & txtUserID.Text.Trim & "' OR Username ='" & txtUsername.Text.Trim & "' AND Category = '" & cbCategory.Text & "' AND Password = '" & txtCurrentPass.Text & "'", con)
            Dim sda As New SqlDataAdapter(cmd)
            sda.Fill(dt)
            If dt.Rows.Count > 0 Then
                If txtSecurityAns.Text <> "" Then
                    Using cmd As New SqlClient.SqlCommand("UPDATE Login SET Password = '" & txtCurrentPass.Text.Trim & "' , Security_Question = '" & cbSecurityQue.Text & "', Security_Answer = '" & txtSecurityAns.Text.Trim & "' WHERE UserID = '" & txtUserID.Text.Trim & "' OR Username = '" & txtUsername.Text.Trim & "'", con)
                        i = cmd.ExecuteNonQuery()
                        MsgBox(i)
                    End Using

                    If (i > 0) Then
                        MsgBox("Password successfully changed!", vbInformation, "Change Password")
                    Else
                        MsgBox("Please enter correct details to change your password!", vbInformation, "Error")
                    End If

                Else

                    Using cmd As New SqlClient.SqlCommand("UPDATE Login SET Password = '" & txtCurrentPass.Text.Trim & "' WHERE UserID = '" & txtUserID.Text.Trim & "' OR Username = '" & txtUsername.Text.Trim & "'", con)
                        i = cmd.ExecuteNonQuery()
                    End Using

                    If (i > 0) Then
                        MsgBox("Password successfully changed!", vbInformation, "Change Password")
                    Else
                        MsgBox("Please enter correct details to change your password!", vbInformation, "Error")
                    End If

                End If

            End If
            con.Dispose()
            con.Close()
        Catch ex As Exception
            MsgBox("Error")
        End Try
    End Sub

推荐答案

这里有太多错误我从哪里开始...



首先，不用担心你的代码不起作用的问题，你有一些更大的问题。首先是数据库的安全性。由于您决定使用字符串连接来构建SQL查询，并且您正在使用文本框中的值而不进行任何验证，因此您已经开始使用SQL注入攻击。通过在任何文本框中精心设计的响应，我可以破坏您的数据库。谷歌针对SQL注入攻击讨论你为什么做的事情是如此糟糕。



接下来，Google为VB.NET SQL参数化查询找到如何解决这个问题。



其次，你用明文存储用户密码。鉴于您根本没有保护数据库，您已经打开了客户端密码以便被盗。由于您没有加密哈希这些密码，因此您可以将用户王国的密钥交给敌人。我恳请您阅读 Salted Password Hashing - 正确行事 [< a href =http://www.codeproject.com/Articles/704865/Salted-Password-Hashing-Doing-it-Righttarget =_ blanktitle =New Window> ^ ]在你之前甚至想到继续你的项目。

There's so much wrong with this where do I begin...

First, without worrying about the problem that you're code doesn't work, you have have a couple of even bigger problems. The first is the security of your database. Since you decided to use string concatenation to build your SQL queries and you are using the values in textboxes with no validation whatsoever, you've opened yourself up to SQL Injection attacks. With a carefully crafted response in any of those textboxes I can destroy your database. Google for "SQL Injection Attack" for discussion on why what you're doing is so bad.

Next, Google for "VB.NET SQL parameterized queries" to find out how to fix this problem.

Second, you're storing user passwords in clear text. Given that you didn't secure your database at all, you've opened up your clients passwords to being stolen. Since you didn't cryptographically hash these passwords you're giving the keys to your users kingdoms away to the enemy. I urge you to read Salted Password Hashing - Doing it Right[^] before you even think of continuing your project.

这篇关于如何使用vb.net更改SQL Server 12数据库中的密码。的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！