如何使用SQLSERVER 2005停止ASP.NET绕过登录 [英] How to stop ASP.NET bypass login using SQLSERVER 2005
问题描述
如何停止从asp.net登录页面绕过登录。我使用过sql server 2005和.net framework 3.5,并使用C#语言。我已经从数据库检查了登录ID和密码。如果lofin id和密码正确,那么用户可以登录并可以使用该应用程序。但我的问题是,当我的朋友在登录字段中输入任何登录ID并在密码字段中输入内容时,他成功登录并可以使用该应用程序。后来我知道它是旁路登录。我想停止旁路登录。任何人都可以帮助我....
您可以在登录时检查数据库是否存在提供的用户名和密码。如果找不到,请撤销访问权限。
SqlConnection conn = new SqlConnection();
conn.ConnectionString = System.Configuration.ConfigurationManager.ConnectionStrings [ 您的连接字符串名称 ] .ConnectionString;
conn.Open();
SqlCommand cmd = new SqlCommand( 选择uname,pswd from table其中uname = @id和pswd = @password,conn);
cmd.Parameters.Add( new SqlParameter( @id, id here here));
cmd.Parameters.Add( new SqlParameter( @password, 这里的密码));
SqlDataReader dr = cmd.ExecuteReader();
if (dr.Read())
{
// 找到的用户名和密码。用户存在。
}
else
{
// 找不到用户名或密码。显示错误消息。
Response.Write( < script type ='text / javascript'>);
Response.Write( alert('Invalid Credentials。'););
Response.Write( < / script>);
}
无法绕过您的身份验证过程。而不是你必须提供适当的安全性,如
1.客户端和服务器端验证 - 限制无效数据输入
2.防止HTML ,SQL注入
3.数据库调用检查 - 使用您的数据库值验证用户的信息(id和密码?),然后允许访问您的应用程序,如果请求的用户的ID和密码是与DB匹配。
4.应用加密 - 以加密格式存储用户ID和密码,这样就没有人可以破坏安全性。
谢谢
How to stop Bypass Login from asp.net login page. I have used sql server 2005 and .net framework 3.5, and using C# language. I have checked login id and password from database.If lofin id and password is correct then user can logged in and can use the application. But my question is that,when my friend entered anything login id in login field and entered something in password field, and he successfully logges in and can use the application.Later I knew that its a bypass login.I want to stop the bypass login. Anyone can help me please....
[Edit: Shouting Removed]
You can check database at login time for provided username and password existance.If it doesnt find the one,revoke the access.
SqlConnection conn = new SqlConnection(); conn.ConnectionString = System.Configuration.ConfigurationManager.ConnectionStrings["your connection string name"].ConnectionString; conn.Open(); SqlCommand cmd = new SqlCommand("Select uname, pswd from table where uname = @id and pswd = @password ", conn); cmd.Parameters.Add(new SqlParameter("@id", "id here")); cmd.Parameters.Add(new SqlParameter("@password", "password here")); SqlDataReader dr = cmd.ExecuteReader(); if(dr.Read()) { //Username and password found.User exists. } else { //Username or password not found.Throw error message. Response.Write("<script type='text/javascript'>"); Response.Write("alert('Invalid Credentials.');"); Response.Write("</script>"); }
This is not possible to bypass your authentication process. instead of you have to provide proper security like
1. Client and server side validation - to restrict invalid data entry
2. Prevent HTML, SQL injection
3. Database call check - verify user''s information (id and password?) with your database value and then allow access to your application if requested user''s id and password is match with DB.
4. Apply encryption - Store user id and password in encrypted format so no one can break security.
Thanks
这篇关于如何使用SQLSERVER 2005停止ASP.NET绕过登录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
