0

我正在开发一个需要登录表单、用户和密码保存在 SQL Server 数据库中的 C# 应用程序。

我使用我的CodePass函数来编码密码,我已经添加了一个用户,并且之前它是我的数据库的编码密码(用户、密码和登录角色保存在数据库中)

现在当我像这样调用我的 doLogin 函数时

doLogin("Arashdn","123");

它返回 0(错误的用户或密码) 在调试应用程序后,我发现hash(用于保持从数据库读取加密密码的变量)持有 123 个未加密密码。

问题可能是什么?

这是我的代码:

public class DB
{
    public static string constr = "Server=localhost;Database=University;
    Integrated Security=true;MultipleActiveResultSets=True;";
    public static string userTable = "Users", userPassword = "Passwd", 
    userName = "UserID", loginRole = "Role";
}

public class login
{
    public int doLogin(string user, string pass)
    {
        string role="0";
        SqlConnection conn = new SqlConnection(DB.constr);
        try
        {
            conn.Open();
            SqlCommand my_cm = conn.CreateCommand();
            SqlDataReader dbread1;
            my_cm.CommandText = "Select " + DB.userPassword + " from " + 
                DB.userTable + " WHERE " + DB.userName + "=" + user;
            dbread1 = my_cm.ExecuteReader();
            string hash="";

            while (dbread1.Read())
            {
               hash = dbread1[0].ToString();
            }

            if (CodePass(user, pass) == hash)
            {
                SqlCommand my_cm2 = conn.CreateCommand();
                SqlDataReader dbread2;
                my_cm2.CommandText = "Select " + DB.loginRole + " from " + 
                DB.userTable + " WHERE " + DB.userName + "=" + user;
                dbread2 = my_cm2.ExecuteReader();

                while (dbread2.Read())
                {
                   role = dbread2[0].ToString(); 
                }
            } 
        }
        catch (Exception ex)
        {
            throw ex;
        }
        finally
        {
            if (conn.State == System.Data.ConnectionState.Open)
                    conn.Close();
        }

        return int.Parse(role);
    }

    public string CodePass(string user, string pass)
    {
        System.Security.Cryptography.SHA1CryptoServiceProvider sha = 
              new SHA1CryptoServiceProvider();
        return System.Text.Encoding.ASCII.GetString(
          sha.ComputeHash(System.Text.Encoding.ASCII.GetBytes(user + pass)));
    }
}

谢谢

4

3 回答 3

2

The likelyhood is that you have at least 2 records in the database that match the username, one with the password of "123".

From SqlManager see what the result of the following is, remember to substitute for the username:

select userID,passwd from Users where userId= '<put the username here>';

Your existing code could be rewritten to make use of SqlParameters to avoid some Sql injection attacks and also dispose of your objects properly. Additionally most of the logic could be moved to a single database query as below.

This modification will return 0 if the user and password is incorrect. You could throw an exception or return another value instead.

public class DB
{
    public static string constr = "Server=localhost;Database=University; Integrated Security=true;MultipleActiveResultSets=True;";
    public static string userTable = "Users", userPassword = "Passwd", 
    userName = "UserID", loginRole = "Role";
}

public class login
{
   public int doLogin(string user, string pass)
   {
      string role="0";
      using (var conn = new SqlConnection(DB.constr) {
        using (var my_cm = conn.CreateCommand() {
         my_cm.CommandText = string.Format(
             "select {0} from {1} where {2} = @username and {3} = @password",
             DB.loginRole,
             DB.userTable,
             DB.userName,
             DB.userPassword);
         my_cm.Parameters.AddWithValue("@username", user);
         mt_cm.Parameters.AddWithValue("@password", CodePass(user,pass));
         using (var dbread = my_cm.ExecuteReader()) {
           if (!dbread.Read()) {
             return 0; // or something else if user not found
           }
           return int.Parse(dbRead[0].ToString());
         }
      }
    }
  }

  public string CodePass(string user, string pass)
  {
    System.Security.Cryptography.SHA1CryptoServiceProvider sha = 
          new SHA1CryptoServiceProvider();
    return System.Text.Encoding.ASCII.GetString(
      sha.ComputeHash(System.Text.Encoding.ASCII.GetBytes(user + pass)));
  }
}
于 2013-06-10T08:46:19.957 回答
1

基于 :

After debuging application I find that hash(a variable to keep encrypted password red from database) is holding 123 not encrypted password.

我建议去查看您的数据库并将您的 PW 字段中的 PW 从更改123为, #<=??D?mB?MyE??C?因为您的数据库只保存它所获得的数据,它看起来像您保存123而不是#<=??D?mB?MyE??C?

和你的赞扬:

CodePass returns encrypted password , and password is saved encryptedly in DB but hash is keeping unecrypted password

没有意义,因为您的数据库将无法使用此查询解密

编辑

如果

the passwd feild in database is #<=??D?mB?MyE??C? not 123 but dbread1 is reading 123 and this is the problem

是真的请检查以下事项:

  • 它是正确的数据库吗?
  • 它是正确的表吗?
  • 最后但并非最不重要的一点是,您是否在右栏中阅读?
于 2013-06-10T08:19:36.550 回答
0

I find the problem I have both sql server express and developer edition on my computer and I have another database in SQLServer Developer in which passwd was 123 and my main DB was is SQLServer Express ...

Silly me

于 2013-06-10T08:46:00.163 回答