1

我在下面有这个简单的登录页面,

如果我输入正确的 ID + pw -> 成功(我想要)

如果我输入错误的 ID -> 错误的登录名(我想要的)

但是如果我输入正确的 ID + 错误的 ID ,我希望它说错误的密码。

我该怎么做?

谢谢你。

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;

using System.Data.SqlClient;

public partial class _Default : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {
        if (Session["X"] != null)
        {
            Response.Redirect("MemberPage.aspx");
        }
    }

    SqlConnection cnn = new SqlConnection("Initial Catalog=Northwind;Data Source=localhost;Integrated Security=SSPI;");

    protected void Button1_Click(object sender, EventArgs e)
    {

        cnn.Open();
        SqlCommand cmd = new SqlCommand("SELECT FirstName,LastName FROM Employees", cnn);
        SqlDataReader dr = cmd.ExecuteReader();
        if (dr.HasRows)
        {
            while (dr.Read())
            {
                if (TextBox1.Text == dr.GetString(0) || TextBox2.Text == dr.GetString(1))
                    {
                            Session["x"] = TextBox1.Text;
                            Response.Redirect("MemberPage.aspx");
                    }
                else
                {
                    Label2.Text = "wrong login";
                }
            }
        }

        cnn.Close();

    }
    protected void Button2_Click(object sender, EventArgs e)
    {
        Response.Redirect("Register.aspx");
    }
}
4

3 回答 3

2

while this doesn't answer your question, I see a MAJOR security flaw with your logic. I think no matter what failure your users encounter, invalid username or invalid password, you should always display the same "invalid login" message.

If you have someone who is attempting to break into the system, once you validate that a user account exists (invalid password) they can then begin to crack that specific account's password using brute force.

Just something to think about.

于 2013-10-05T14:33:14.137 回答
0

你把你的逻辑错误地放在这里。逻辑将是

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.SqlClient;

public partial class _Default : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {
        if (Session["X"] != null)
        {
            Response.Redirect("MemberPage.aspx");
        }
    }

    SqlConnection cnn = new SqlConnection("Initial Catalog=Northwind;Data Source=localhost;Integrated Security=SSPI;");

    protected void Button1_Click(object sender, EventArgs e)
    {

        cnn.Open();
        SqlCommand cmd = new SqlCommand("SELECT FirstName,LastName FROM Employees", cnn);
        SqlDataReader dr = cmd.ExecuteReader();
        if (dr.HasRows)
        {

                if (TextBox1.Text.Trim() == dr.GetString(0) || TextBox2.Text.Trim()== dr.GetString(1))
                    {
                        if (TextBox2.Text.Trim()== dr.GetString(1))
                        {
                            Session["x"] = TextBox1.Text.Trim();
                            Response.Redirect("MemberPage.aspx");
                        }
                        else
                        {
                            Label2.Text = "wrong password";
                        }
                    }
                else
                {
                    Label2.Text = "wrong login";
                }

        }

        cnn.Close();

    }
    protected void Button2_Click(object sender, EventArgs e)
    {
        Response.Redirect("Register.aspx");
    }
}
于 2013-10-05T14:30:12.917 回答
0

您从数据库中读取名字和姓氏,然后根据姓氏检查密码。我怀疑此字段是否包含有效密码

此逻辑错误的一部分,您应该在语句中使用 WHERE 子句来检查用户是否存在于数据库中。

protected void Button1_Click(object sender, EventArgs e)
{
    // Command with parameters that check if a user with the supplied credentials exists
    // If the user exists then just one record is returned from the datatable....
    string cmdText = "SELECT FirstName,LastName " + 
                     "FROM Employees " + 
                     "WHERE username=@uname and pass=@pwd";
    using(SqlConnection cnn = new SqlConnection(.....))
    using(SqlCommand cmd = new SqlCommand(cmdText, cnn))
    {
         cnn.Open();
         cmd.Parameters.AddWithValue("@uname", TextBox1.Text);
         cmd.Parameters.AddWithValue("@pwd", TextBox2.Text);
         using(SqlDataReader reader = cmd.ExecuteReader())
         {
              // If the Read returns true then a user with the supplied credentials exists 
              // Only one record is returned, not the whole table and you don't need to 
              // compare every record against the text in the input boxes 
              if(reader.Read())
              {
                   Session["x"] = reader.GetString(0);
                   Response.Redirect("MemberPage.aspx");
              }
              else
              {
                   Label2.Text = "Invalid credentials";
              }
         }
     }
 }

要记住的另一点是以下内容。在数据库中,您不应该有明文密码。存储密码的正确方法是存储一个与密码对应的散列字符串,然后将散列函数应用于用户输入,并在数据库中检查相同的散列字符串

于 2013-10-05T14:33:40.047 回答