如何对密码进行加盐和哈希处理
下面的代码允许用户输入用户名和密码登录以输入学生的分数。 SQL 数据读取器在进行身份验证之前验证数据库中的用户凭据。如果有人可以通过对密码加盐和散列来修改代码,我将不胜感激。
Dim frm As New MarksEntryFrm
Dim flag As Boolean
flag = False
If cboForm.Text = "" Or cboAcadYear.Text = "" Or cboSubjCode.Text = "" Or txtUserName.Text = "" Or txtPassword.Text = "" Then
MessageBox.Show("Please any of the fields cannot be left blank", "Blank fields", MessageBoxButtons.OK, MessageBoxIcon.Error)
Else
cmd = New SqlCommand("Select a.Form,a.AcademicYear,b.SubjectID,b.UserID,b.Password,c.Term from StudentDetails.Programmes a, StudentDetails.Subjects b,RegistrationDetails.Registration c where b.SubjectID='" & cboSubjCode.SelectedItem & "' and b.UserID='" & txtUserName.Text & "' and b.Password='" & txtPassword.Text & "' collate Latin1_General_CS_AS", cn)
cmd.Parameters.AddWithValue("@UserID", txtUserName.Text) 'protects the database from SQL Injection
cmd.Parameters.AddWithValue("@Password", txtPassword.Text) 'protects the database from SQL Injection
dr1 = cmd.ExecuteReader
ctr = ctr + 1
If dr1.Read Then
frm.Show()
ctr = 0
Hide()
ElseIf ctr < 3 Then
MessageBox.Show("Incorrect Subject Code,User Name or Password. Please try again.", "Wrong data entered", MessageBoxButtons.OK, MessageBoxIcon.Asterisk)
Else
MsgBox("Unathorized access. Aborting...")
Close()
End If
dr1.Close()
End If
End Sub
The code below allows a user to enter user name and password to log in to enter marks of students. SQL data reader verifies the user credentials from the database before authentication takes place. I would be grateful if someone could modify the code by salting and hashing the password.
Dim frm As New MarksEntryFrm
Dim flag As Boolean
flag = False
If cboForm.Text = "" Or cboAcadYear.Text = "" Or cboSubjCode.Text = "" Or txtUserName.Text = "" Or txtPassword.Text = "" Then
MessageBox.Show("Please any of the fields cannot be left blank", "Blank fields", MessageBoxButtons.OK, MessageBoxIcon.Error)
Else
cmd = New SqlCommand("Select a.Form,a.AcademicYear,b.SubjectID,b.UserID,b.Password,c.Term from StudentDetails.Programmes a, StudentDetails.Subjects b,RegistrationDetails.Registration c where b.SubjectID='" & cboSubjCode.SelectedItem & "' and b.UserID='" & txtUserName.Text & "' and b.Password='" & txtPassword.Text & "' collate Latin1_General_CS_AS", cn)
cmd.Parameters.AddWithValue("@UserID", txtUserName.Text) 'protects the database from SQL Injection
cmd.Parameters.AddWithValue("@Password", txtPassword.Text) 'protects the database from SQL Injection
dr1 = cmd.ExecuteReader
ctr = ctr + 1
If dr1.Read Then
frm.Show()
ctr = 0
Hide()
ElseIf ctr < 3 Then
MessageBox.Show("Incorrect Subject Code,User Name or Password. Please try again.", "Wrong data entered", MessageBoxButtons.OK, MessageBoxIcon.Asterisk)
Else
MsgBox("Unathorized access. Aborting...")
Close()
End If
dr1.Close()
End If
End Sub
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
PS Akaglo,检查是否有任何字段留空的更好方法是使用 String.IsNullOrEmpty() 方法。您的方法不会检测任何空字符或空格字符。
P.S. Akaglo, a better way to check if any fields were left empty is to use the String.IsNullOrEmpty() method. Your method will not detect any null or space characters.
使用参数化查询
Use a parametrized query
在 .NET 成员资格提供程序中,您将获得 .NET 库提供的散列和播种,这些应该正确实现。恕我直言,这对于推出您自己的解决方案来说是更喜欢的。如果
您希望将您的实现作为播种和散列部分并不是太复杂。播种可以很简单,只需在对原始密码进行哈希处理之前将随机字符串添加到原始密码中即可。然后,您将哈希值和种子存储在数据库中。当用户提供密码时,您只需读取种子并比较哈希值即可。请注意,当您出于加密目的创建随机字符串时,不应依赖
Random,而应采用一些 加密安全随机生成器。System.Security.Cryptography还包含许多合适的哈希算法(sha1、sha256 或类似算法)的实现。再次强调:在我看来,您应该寻求使用 SqlMembershipProvider 的解决方案,以避免重新实现安全关键的内容。
In the .NET membership providers you will get hashing and seeding given by the .NET library which should be implemented correctly. This IMHO is much to prefer for rolling your own solution. There is an introduction to membership here
IF you prefer to make your implementation the seeding and hashing part is not overtly complex. The seeding could be as simple as adding a random string to the original password prior to hashing it. You then store the hash and the seed in the database. When the user provides the password you then simply readd the seed and compare the hashes. Note that when you make random strings for cryptographic purposes you should not rely on
Random, but rather go for some cryptographically secure random generator. TheSystem.Security.Cryptographyalso contains implementations of many suitable hashing algorithms (sha1, sha256 or similar).Again: In my opinion you should go for a solution using the
SqlMembershipProviderto avoid reimplementing security critical stuff.