登录错误未编码正确的错误消息 [英] Login Error not coded right for Error message
本文介绍了登录错误未编码正确的错误消息的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我有一个登录页面,当您输入错误的密码时会触发错误按钮。当用户输入错误的用户名和密码时,如何才能触发?
I have a Login page that has an error massage that fires when you enter the wrong password. How can I get it to fire when the user enters the wrong username and password?
protected void Page_Load(object sender, EventArgs e)
{
if (IsPostBack)
{
SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["HotConnectionString"].ConnectionString);
con.Open();
string cmdStr = "select count(*) from TableTrue where EmailAddress='" + TextBoxEA.Text + "'";
SqlCommand userExist = new SqlCommand(cmdStr, con);
SqlCommand cmd = new SqlCommand("select INST_ID, EmailAddress from TableTrue", con);
int temp = Convert.ToInt32(userExist.ExecuteScalar().ToString());
if (temp == 1)
{
ScriptManager.RegisterStartupScript(this, this.GetType(), "script", "alert('Invalid Username/Password!!!')", true);
}
}
}
推荐答案
整个方法都是错误的。您无法确定脚本中的身份验证数据是否正确。您正在考虑在客户端进行此操作,但客户端的所有内容都可供所有用户访问,因此您的身份验证可以立即伪造。
首先,理想情况下,您应该在HTTPS页面上进行身份验证,从而利用TLS:
http://en.wikipedia .org / wiki / HTTPS [ ^ ],
http://en.wikipedia.org/wiki/Transport_Layer_Security [ ^ ]。
更多重要的是,不仅不应该在客户端加载密码,也不应该将密码存储在任何地方,甚至不应该存储在服务器端。这绝对不需要身份验证,绝对不安全。不同意,惊讶?看看我过去对这个主题的回答:
我已经加密了我的密码但是当我登录时在它给我一个错误。如何解密 [ ^ ] ,
解密加密密码 [ ^ ],
存储密码值int sql server with secure方式 [ ^ ],
使用用户名和密码进行TCP连接 [ ^ ]。
这些答案应该向您解释为什么需要使用密码的加密哈希函数: http://en.wikipedia.org/wiki/Cryptographic_hash_function [ ^ ]。
-SA
The whole approach is wrong. You cannot determine if authentication data is correct in script. You are thinking like doing it on the client side, but everything on client side is accessible to all users, so your authentication can be faked in no time.
First, ideally, you should do authentication on a HTTPS page and thus leverage TLS:
http://en.wikipedia.org/wiki/HTTPS[^],
http://en.wikipedia.org/wiki/Transport_Layer_Security[^].
More importantly, not only the password should never be loaded on the client side, it should not be stored anywhere at all, not even on the server side. This is absolutely not needed for authentication and would be absolutely unsafe. Disagree, surprised? The see my past answers on the topic:
i already encrypt my password but when i log in it gives me an error. how can decrypte it[^],
Decryption of Encrypted Password[^],
storing password value int sql server with secure way[^],
TCP Connection with username and password[^].
These answers should explain to you why you need to use cryptographic hash function of a password: http://en.wikipedia.org/wiki/Cryptographic_hash_function[^].
—SA
您可以将查询更改为:
You could change your query to this:
string cmdStr = "select count(*) from TableTrue where EmailAddress='" + TextBoxEA.Text + "' and INST_ID = " + TextBoxINST_ID.Text + "";
我只提供了这段代码以便于理解。您应该使用参数化查询来避免SQL注入。尽管如此,此查询将检查用户名和密码,并且仅在两个实例都满足时才返回数据。
I only provided this code for ease of understanding. You should really be using parameterized queries to avoid SQL injection. Nonetheless, this query will check both user name and password and will only return data if both instances are satisfied.
您的代码和解决方案2帮助我识别另一个问题,同样对安全性也是致命的。我在谈论通过串联从UI获取的字符串组成的查询。不仅重复的字符串连接是低效的(因为字符串是不可变的;我是否必须解释为什么它会使重复连接变坏?),但是有更重要的问题:它打开了通向良好的大门已知的漏洞称为 SQL注入。
这是它的工作原理: http://xkcd.com/327 [ ^ ]。< br $> b $ b
怎么办?只需阅读有关此问题和主要补救措施:参数化语句: http://en.wikipedia.org/ wiki / SQL_injection [ ^ ]。
使用ADO.NET,请使用: http:// msdn.microsoft.com/en-us/library/ff648339.aspx [ ^ ]。
请查看我过去的答案以获取更多详细信息:
EROR IN com.ExecuteNonQuery(); [ ^ ],
hi name没有显示在名称中? [ ^ ]。
-SA
Your code and Solution 2 helped me to identify one more problem, also fatal to security. I'm talking about the query composed by concatenation with strings taken from UI. Not only repeated string concatenation is inefficient (because strings are immutable; do I have to explain why it makes repeated concatenation bad?), but there is way more important issue: it opens the doors to a well-known exploit called SQL injection.
This is how it works: http://xkcd.com/327[^].
What to do? Just read about this problem and the main remedy: parametrized statements: http://en.wikipedia.org/wiki/SQL_injection[^].
With ADO.NET, use this: http://msdn.microsoft.com/en-us/library/ff648339.aspx[^].
Please see my past answers for some more detail:
EROR IN UPATE in com.ExecuteNonQuery();[^],
hi name is not displaying in name?[^].
—SA
这篇关于登录错误未编码正确的错误消息的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
