-1

使用用户名和密码文本框,我试图验证用户名和密码是否在点击的表格中。下面是我的按钮。如果可能的话,有人可以对此进行审查并告诉我哪里出错了吗?我是新手,真的可以使用一些建议。

感谢您的帮助,不胜感激!

Partial Class _Default
    Inherits System.Web.UI.Page

    Protected Sub butSubmit_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles butSubmit.Click

        Dim myReader As Data.SqlClient.SqlDataReader
        Dim mySqlConnection As Data.SqlClient.SqlConnection
        Dim mySqlCommand As Data.SqlClient.SqlCommand
        'Establish the SqlConnection by using the configuration manager to get the connection string in our web.config file.

        mySqlConnection = New Data.SqlClient.SqlConnection(ConfigurationManager.ConnectionStrings("ConnectionString").ToString())
        Dim sql As String = "SELECT password FROM MyUsers WHERE username = '" & Me.logon_id.Text & "'"
        mySqlCommand = New Data.SqlClient.SqlCommand(sql, mySqlConnection)



        Try

            mySqlConnection.Open()
            myReader = mySqlCommand.ExecuteReader()

            If (myReader.HasRows) Then
                myReader.Read()
                Dim password As String = myReader("password")
                If (password = Me.user_password.Text) Then
                    'Open page with users and roles
                    Dim message As String = "Correct password"
                    Dim style As MsgBoxStyle = MsgBoxStyle.OkOnly
                    Dim title As String = "Authenticated"
                    MsgBox(message, style, title)

                End If
            End If

        Catch ex As Exception
            Console.WriteLine(ex.ToString())
        Finally
            If Not (myReader Is Nothing) Then
                myReader.Close()
            End If

            If (mySqlConnection.State = Data.ConnectionState.Open) Then
                mySqlConnection.Close()
            End If

        End Try

    End Sub
End Class

==================================================== =============

更新:

谢谢你的文章。感谢您对创建密码哈希的建议。这确实有道理,但这是一个初学者项目,我认为这不是要求的一部分。

完整的项目是创建三个表:MyUsers、MyRole 和 UserRoles。UserRole 表假设将用户链接到多个角色。第一列将包含对用户的引用。第二列将包含一个角色的链接。

我想创建 2 个网页。一个包含有关用户和角色的所有信息的表,另一个具有用户名和密码,假设连接到表并验证输入的信息是否与表中的内容匹配。

下面是我的 SQL 代码:

user_description VARCHAR(100) NOT NULL,

user_password VARCHAR(50) NOT NULL,
);

INSERT INTO MyUsers (user_logon_id, user_full_name, user_description, user_password) VALUES 
('mcoby', 'Mary Coby', 'Class Instructor', 'password');


CREATE TABLE MyRole
(
myrole_id INT IDENTITY(1,1)PRIMARY KEY,

role_name VARCHAR(50) NOT NULL,

role_description VARCHAR(100) NOT NULL,
);

INSERT INTO MyRole (role_name, role_description) VALUES ('administrator', ' Administrator of the web site');

INSERT INTO MyRole (role_name, role_description) VALUES ('user', ' User of the web site');


CREATE TABLE UserRoles
 (
    user_id int FOREIGN KEY REFERENCES MyUsers(id),

    role_id int FOREIGN KEY REFERENCES MyRole(myrole_id),
 );
4

1 回答 1

4

不要从/向您的数据库发送/接收明文密码文本。
您应该创建密码的哈希并存储它。当您需要检查密码时,您重新应用哈希函数并检查数据库。

此外,命令文本中使用的字符串连接也是一种非常糟糕的做法。您应该使用始终参数化查询来避免 sql 注入和解析包含单引号或小数的字符串以及数据库无法识别的日期的问题

最后,connection、command、datareader都是一次性对象,最好使用using语句

这只是一个例子,未经测试

    Dim sql As String = "SELECT password FROM MyUsers WHERE username = @uname"
    Using mySqlConnection = New Data.SqlClient.SqlConnection(ConfigurationManager.ConnectionStrings("ConnectionString").ToString())
    Using mySqlCommand = New Data.SqlClient.SqlCommand(sql, mySqlConnection)
        mySqlConnection.Open()
        mySqlCommand.Parameters.AddWithValue("@uname", Me.logon_id.Text)
        result = mySqlCommand.ExecuteScalar()
        if result Is Nothing Then
            ' User not found 
        Else
            Dim pwHash = GetHashedText(Me.user_password.Text)
            if result.ToString = pwHash Then
                'Open page with users and roles
                Dim message As String = "Correct password"
                Dim style As MsgBoxStyle = MsgBoxStyle.OkOnly
                Dim title As String = "Authenticated"
                MsgBox(message, style, title)
            Else
                ' wrong Password 
            End If
        End If
    End Using
    End Using
End Sub

Private Function GetHashedText(ByVal clearText As String) As String
     Dim e As New UnicodeEncoding()
     Dim sourceBytes() As Byte = e.GetBytes(clearText)
     Dim md5 As New MD5CryptoServiceProvider()
     Dim hashedBytes() As Byte = md5.ComputeHash(sourceBytes)
     Return Convert.ToBase64String(hashedBytes)
End Function

如您所见,我已删除 SqlDataReader,因为我假设您只有一个用户提供的用户名,因此查询仅返回一行(或零)和密码列。然后对用户输入的密码进行哈希处理,然后根据数据库返回的哈希值进行检查。网络上没有明确的密码文本,并且在数据库端,密码被加密,远程机器的管理员都无法恢复原始文本。

于 2013-06-21T10:30:55.830 回答