插入数据库时​​哈希加密密码 [英] Hash encrypting password when inserting into database

问题描述

我正在为学校做一个应用程序，并且在将密码插入我的用户数据库时需要帮助。我使用c＃编程语言进行编程，并且正在使用MS服务器2008 R2来操纵我的数据库。我正在考虑做一个HASH加密，如果有人帮助我，我会爱上它。

这是我的代码，用于将数据插入数据库：

  using SqlConnection con = new SqlConnection（Data Source = HRC0; Initial Catalog = users; Integrated Security = True））// MLHIDE 
 using（SqlCommand sc = new SqlCommand（if not NOT exists（select * from users where UserName （@username，@password），con））
 {
 con.Open（）; 
 sc.Parameters.AddWithValue（@ username，korisnik.Text）; 
 sc.Parameters.AddWithValue（@ password，pass.Text）; 
 int o = sc.ExecuteNonQuery（）; 
 if（o == -1）
 {
 MessageBox.Show（Ulaz.Properties.Resources.Niste_ubačeni_u_bazi_korisničk）; 
 this.Hide（）; 
 new Registracija（）。Show（）; 
} 
 else 
 {
 MessageBox.Show（Ulaz.Properties.Resources.Ubačeni_ste_u_bazi）; 
 con.Close（）; 
 this.Hide（）; 
 new Form1（）.Show（）; 
 
 
  

以下是我的登录检查代码：

pre $ SqlConnection con = new SqlConnection（Data Source = HRC0; Initial Catalog = users; Integrated Security = True）;
SqlCommand cmd = new SqlCommand（select * from users where userName ='+ user.Text +'and password ='+ pass.Text +'，con）; // MLHIDE
con.Open（）;
SqlDataReader re = cmd.ExecuteReader（）;

if（re.Read（））
{
ImeUsera = user.Text;
new UserMode（）。Show（）;
this.Hide（）;
}
else
{
this.Hide（）;
new LoginFail（）。Show（）;
}
}


我使用了一些多语言附加组件，所以他把我的字符串转换成''Ulaz.Properties.Resources。''和simmilar。

解决方案

使用这样的函数
$ b $ pre $私有字符串GetHashedText（字符串inputData）
{
byte [] tmpSource;
byte [] tmpData;
tmpSource = ASCIIEncoding.ASCII.GetBytes（inputData）;
tmpData = new MD5CryptoServiceProvider（）。ComputeHash（tmpSource）;
return Convert.ToBase64String（tmpData）;
}

并适用于您的用户输入。然后将结果存储在数据库中。在登录时，你将哈希函数重新应用到输入的密码，并检查结果与存储值。

因此，在你写入的代码中，你可以写入

  sc.Parameters.AddWithValue（@ password，GetHashedText（pass.Text））; 
  

并在您的支票中

  .... 
 SqlCommand cmd = new SqlCommand（select * from users where userName = @ user and password = @ pass，con）; 
 con.Open（）; 
 cmd.Parameters.AddWithValue（@ user，user.Text）; 
 cmd.Parameters.AddWithValue（@ pass，GetHashedText（pass.Text））; 
 SqlDataReader re = cmd.ExecuteReader（）; 
 if（re.Read（））
 ..... 
  

请记住，哈希是不可逆的，因此您无法从哈希文本中检索原始密码。将Hash函数应用于文本并将其存储为base64字符串。如果您的用户忘记密码，则需要将其重置为已知值。没有办法告诉他原来的密码。

顺便说一下，为什么在你的检查中不像你在插入代码中那样使用参数？切勿使用字符串连接来构建SQL查询。即使你急于完成工作

I'm doing an application for school and I'm in need of help in encrypting passwords when inserting them into my users database.I'm programming in c# programming language and i'm using MS server 2008 R2 for manipulating my database. I'm thinking of doing a HASH encryption and I would love if someone helped me out.

Here's my code for inserting data into database :

using (SqlConnection con = new SqlConnection("Data Source=HRC0;Initial Catalog=users;Integrated Security=True")) //MLHIDE
        using (SqlCommand sc = new SqlCommand("if NOT exists (select * from users where UserName = @username) insert into users (userName, password) values(@userName, @password)", con)) 
        {
            con.Open();
            sc.Parameters.AddWithValue("@username", korisnik.Text); 
            sc.Parameters.AddWithValue("@password", pass.Text);   
            int o = sc.ExecuteNonQuery();
            if (o == -1)
            {
                MessageBox.Show(Ulaz.Properties.Resources.Niste_ubačeni_u_bazi_korisničk);
                this.Hide();
                new Registracija().Show();
            }
            else 
            {
                MessageBox.Show(Ulaz.Properties.Resources.Ubačeni_ste_u_bazi);
                con.Close();
                this.Hide();
                new Form1().Show();

             }

and here's my code for login check :

SqlConnection con = new SqlConnection("Data Source=HRC0;Initial Catalog=users;Integrated Security=True");
        SqlCommand cmd = new SqlCommand("select * from users where userName='" + user.Text + "' and password='" + pass.Text + "'", con); //MLHIDE
        con.Open();
        SqlDataReader re = cmd.ExecuteReader();

        if (re.Read())
        {
            ImeUsera = user.Text;
            new UserMode().Show();
            this.Hide();
        }
           else
            {
                this.Hide();
                new LoginFail().Show();
            }
        }

I used some Multi-Language add-on so he converted my strings into ''Ulaz.Properties.Resources.'' and simmilar.

解决方案

To hash a string of text you could use a function like this

private string GetHashedText(string inputData)
{ 
    byte[] tmpSource;
    byte[] tmpData;
    tmpSource = ASCIIEncoding.ASCII.GetBytes(inputData);
    tmpData = new MD5CryptoServiceProvider().ComputeHash(tmpSource);
    return Convert.ToBase64String(tmpData);
}

and apply to your user input. Then store the result in the database. At login you reapply the hash function to the typed password and check the result against the stored value.

So in your insert code you write

 sc.Parameters.AddWithValue("@password", GetHashedText(pass.Text));   

and in your check

 ....
 SqlCommand cmd = new SqlCommand("select * from users where userName=@user and password=@pass", con);
 con.Open();
 cmd.Parameters.AddWithValue("@user",user.Text);
 cmd.Parameters.AddWithValue("@pass", GetHashedText(pass.Text));
 SqlDataReader re = cmd.ExecuteReader();
 if (re.Read())
 .....

Remember that Hashing is not reversible, so you cannot retrieve the original password from the hashed text. You apply the Hash function to your text and store it as a base64 string. If your user forgets the password, you need to reset it to a known value. There is no way to tell him the original password.

By the way, why in your check you don't use parameters as you do in the insert code? Never use string concatenation to build sql queries. Even if you're in a hurry to finish the job

这篇关于插入数据库时​​哈希加密密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！