实际上我正在创建一个加密的登录表单,每件事情都运行良好只有问题是无法检索我的数据库表的salt和哈希值 [英] Actually im creating a encrypted login form ,every thing works fine only having problem is that not able to retrive my salt and hash value for my database table
本文介绍了实际上我正在创建一个加密的登录表单,每件事情都运行良好只有问题是无法检索我的数据库表的salt和哈希值的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
Private Sub b2_Click(sender As Object, e As EventArgs) Handles b2.Click
Try
If t1.Text = Nothing Then
MsgBox("You must enter the username ", Microsoft.VisualBasic.MsgBoxStyle.Exclamation, "Eror")
End If
If t2.Text = Nothing Then
MsgBox("You must enter the Password ", Microsoft.VisualBasic.MsgBoxStyle.Exclamation, "Eror")
End If
Dim rndsalt1 As String
Dim hashcheck As String
Dim pwd As String = t2.Text
DBConnection.Open()
Dim abc As String = "select Rand_Salt,Hash_Code from pwdTable where UserName Like ' %" & t1.Text & "';"
Dim cmd As SqlCommand = New SqlCommand(abc, DBConnection)
Dim dr As SqlDataReader = cmd.ExecuteReader
If dr.Read() Then
rndsalt1 = dr(1).ToString()
hashcheck = dr(2).ToString()
End If
DBConnection.Close()
Dim passstr As String = pwd + rndsalt1
Dim bytes = Encoding.UTF8.GetBytes(passstr)
Dim bpass As Byte()
Dim hash As HashAlgorithm = New SHA256Managed()
bpass = hash.ComputeHash(bytes)
Dim storehash As String = Convert.ToBase64String(bpass)
If storehash = hashcheck Then
MessageBox.Show("Login sucessful !!!!")
Else
MessageBox.Show("Loged in sucessful ")
End If
Catch ex As Exception
MessageBox.Show(ex.Message)
End Try
End Sub
End Class
我尝试了什么:
首先我尝试过dataadapter用于检索值的类,并尝试使用sql命令来检索值,但是在运行代码时没有任何一个也没有错误
What I have tried:
firstly i have tried dataadapter class to retrive the values and also tried using sql command to retrive the values ,but none of thes suceed also while running the code there is no erroe
推荐答案
你有几件事情需要看一下。
第一个非常重要:不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度,这可能会破坏您的整个数据库。请改用参数化查询。这是一个登录表单时更为重要,因为这意味着我甚至不需要用户名来删除您的数据库...
其次,比较Textbox.Text属性与Nothing将总是返回false:它返回一个字符串,该字符串可能为空,但从不返回Nothing。请改用String.IsNullOrWhiteSpace。
第三,你的SQL LIKE子句只会在开始时匹配通配符 - 它最后需要绝对匹配。对于包含,您需要在每一端都使用百分比字符。但是......是否适用于登录用户名的外卡?我自己怀疑......
四,不要用哈希值和用户名存储salt值!相反,使用用户名作为salt值,可能使用固定的分隔符字符,不能在用户名或密码中使用。
第五,不要使用数字索引进行DataReader访问 - 因为它们从零开始而不是一个,你赢了;回到你想要的东西。使用列名而不是数字,即使您稍后更改了SQL语句,也可以避免这种情况。
Several things you need to look at.
The first is seriously important: Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead. This is even more important when it's a login form, as it means I don't even have to have a username to delete your database...
Second, Comparing a Textbox.Text property with Nothing will always return false: it returns a string, which may be empty, but never Nothing. Use String.IsNullOrWhiteSpace instead.
Third, your SQL LIKE clause will only match wild cards at the start - it needs an absolute match at the end. For "contains" you need a percent character at each end. But...is wild card applicable at all to a login username? I doubt it myself...
Fourth, don't store the salt value with the hash and the username! Instead, use the username as the salt value, probably with a fixed "separator" character that can't be used in either the username or the password.
Fifth, don't use numeric indexes for your DataReader access - since they start at zero not one, you won;t get back what you want. Using the column name instead of the number, avoids that, even if you later change the SQL statement.
这篇关于实际上我正在创建一个加密的登录表单,每件事情都运行良好只有问题是无法检索我的数据库表的salt和哈希值的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
