本文介绍了最佳登录做法的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我正在构建具有登录表单的本地应用程序.
我正在从数据库中检索用户名和密码.
I'm building a local application that has a login form.
I'm retrieving the Username and Password from a database.
从这里开始最安全的方法是什么,因为我可以做很多事情,我想知道一种方法是否比另一种更好.
What is the safest way to proceed from here because there are many things I can do and i'm wondering if one way is better than another one.
我可以直接从文本框中直接 SELECT :
I can simply SELECT directly from my textbox:
从Users_Table中选择用户ID和密码,其中用户ID ='"+ userIdTextBox.Text +"'AND密码='"+ passwordTextBox.Text +"'.
我可以
选择该表中的所有内容,然后将 SqlDataReader 与文本框进行比较.
I can SELECT everything from that table and then compare a SqlDataReader with the textbox.
SELECT UserId, Password FROM Users_Table`<br>
While (myReader.Read())
{
If (myReader["UserId"] == UserIdTextBox.Text && ...password)
{
}
}
还有很多其他方法可以做到这一点.最好/最安全的进行方式是什么?
And there are many other way to do it. What is the best/safest way to proceed ?
推荐答案
- 使用参数化查询,而不是哈希您的密码和盐来调味.
- 尝试登录时,将用户输入的哈希值与哈希密码进行比较.
- Use parameterized queries, not concatenated text as a SQL command.
- Hash your passwords and store the hashses. Add salt to taste.
- Upon a login attempt, compare the hash of the user-input to the hashed password.
基本上,在任何情况下,您都不应希望任何人(包括sysadmins)都知道密码本身的值.如果您牢记此规则进行设计和编码,并尝试不重新发明轮子,那将很好.如果您是手动创建密码,则可能应该为首次登录启用了必须更改密码"选项(感谢 ChrisShain ).
Basically, under no circumstances should you want anyone, including sysadmins, to possibly know the value of the password itself. If you design and code with this rule in mind, and try not to re-invent the wheel, you'll be fine. If you're manually creating passwords, then you should probably have a "must change password" option enabled for first logon (thanks, Chris Shain).
这篇关于最佳登录做法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
