-1

在我的项目中,登录后的用户必须在登录时更改默认密码,并且该密码将存储在数据库中我想加密用户在更改密码页面中输入的密码并将其存储在数据库中重新登录该用户我想加密在登录页面中输入的密码并检查数据库中保存的密码或获取加密密码以进行解密并使用输入的密码检查解密密码我该怎么做我的更改密码代码是,

SqlConnection con = new SqlConnection(@"Data Source=ESLHPC17\SQL2008;Initial Catalog=Eval;User ID=;Password=");
try
{
    string Qry = "Select Password from passtable where Password='" + CurrentPassword.Text + "'";
    string qry = "Select Password from passtable";
    SqlCommand cmd = new SqlCommand(Qry, con);
    SqlCommand cmd1 = new SqlCommand(qry, con);
    con.Open();
    SqlDataAdapter da = new SqlDataAdapter(cmd);
    SqlDataAdapter daa = new SqlDataAdapter(cmd1);
    DataTable dt = new DataTable();
    DataTable dtt = new DataTable();
    da.Fill(dt);
    daa.Fill(dtt);
    if (dtt.Rows[0]["Password"].ToString() == CurrentPassword.Text)
    {
        string strqry = "Update Passtable Set Password='" + EncryptString(NewPassword.Text) + "'";
        SqlCommand comd = new SqlCommand(strqry, con);
        comd.ExecuteNonQuery();
        Label1.Visible = true;
        Button1.Visible = true;
        ChangeButton.Enabled = false;
    }
    else
    {
        lblMessage.Visible = true;
        lblMessage.ForeColor = System.Drawing.Color.Red;
        lblMessage.Text = "Current Password and Entered Password did not Match !!!";
    }
}
finally
{
  con.Close();
  con.Dispose();
}

带有 SQL INJECTION 检测的已编辑代码

using (SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["EvalCon"].ConnectionString)) 
{
    try
    {
        string Qry = "Select Password from passtable where Password='" + CurrentPassword.Text + "'";
        string qry = "Select Password from passtable";
        if (CurrentPassword.Text != "Select" && CurrentPassword.Text != "Create Table" && CurrentPassword.Text != "Update" && CurrentPassword.Text != "Delete" && CurrentPassword.Text != "Truncate" && CurrentPassword.Text != "Drop Table" && CurrentPassword.Text != "Insert" && CurrentPassword.Text != "@")
        {
            if (NewPassword.Text != "Select" && NewPassword.Text != "Create Table" && NewPassword.Text != "Update" && NewPassword.Text != "Delete" && NewPassword.Text != "Truncate" && NewPassword.Text != "Drop Table" && NewPassword.Text != "Insert" && NewPassword.Text != "@")
            {
                using (SqlCommand cmd = new SqlCommand(Qry, con))
                {
                    using (SqlCommand cmd1 = new SqlCommand(qry, con))
                    {
                        con.Open();
                        SqlDataAdapter da = new SqlDataAdapter(cmd);
                        SqlDataAdapter daa = new SqlDataAdapter(cmd1);
                        DataTable dt = new DataTable();
                        DataTable dtt = new DataTable();
                        da.Fill(dt);
                        daa.Fill(dtt);
                        if (dtt.Rows[0]["Password"].ToString() == CurrentPassword.Text)
                        {
                            string strqry = "Update Passtable Set Password='" + NewPassword.Text + "'";
                            SqlCommand comd = new SqlCommand(strqry, con);
                            comd.ExecuteScalar()

                            Label1.Visible = true;
                            Button1.Visible = true;
                            ChangeButton.Enabled = false;
                        }
                        else
                        {
                            lblMessage.Visible = true;
                            lblMessage.ForeColor = System.Drawing.Color.Red;
                            lblMessage.Text = "Current Password and Entered Password did not Match !!!";
                        }
                    }
                }
            }
            else
            {
                lblMessage.Visible = true;
                lblMessage.ForeColor = System.Drawing.Color.Red;
                lblMessage.Text = "SQL INJECTION Breach you Can't Continue!!!";
                CurrentPassword.Enabled = false;
                NewPassword.Enabled = false;
                ConfirmNewPassword.Enabled = false;
            }
        }
        else
        {
            lblMessage.Visible = true;
            lblMessage.ForeColor = System.Drawing.Color.Red;
            lblMessage.Text = "SQL INJECTION Breach you Can't Continue!!!";
            CurrentPassword.Enabled = false;
            NewPassword.Enabled = false;
            ConfirmNewPassword.Enabled = false;
        }
    }
    finally
    {
        con.Close();
        con.Dispose();
    }
}
4

2 回答 2

4

永远不要使用用户输入附加到 SQL 文本。您的代码容易受到 SQL 注入的攻击。使用参数。立即阅读SQL 注入

  1. 不要在数据库中存储密码,即使是加密的。存储盐渍哈希。存储加密密码是一种安全错觉,因为您将获得解密密码所需的密钥管理错误。您还谈到比较加密密码,这又是错误的,这意味着您不知道如何在加密中正确使用随机 IV
  2. 学习使用using() {...}积木
  3. 学习使用 appsettings/websettings连接字符串
  4. 学会使用ExecuteScalar
于 2013-05-09T09:22:19.667 回答
0

您可以使用要检查 Text 时调用的类来简化 SQLSyntax 检查的检查。

class SQLSyntaxCheck
{
    internal static bool CheckSyntax ( string Text )
    {
        if (Text != "Select" && Text != "Create Table" && Text != "Update" && Text != "Delete" && Text != "Truncate" && Text != "Drop Table" && Text != "Insert" && Text != "@")
            return true;
        else return false;

    }}

您可以通过 SQLSyntaxCheck.CheckSyntax ( textbox1.Text.ToString() ) 或任何您喜欢的方法调用它。

于 2016-01-20T09:42:20.667 回答