1

我在 vb.net 中有一个使用 mysql 作为数据库的应用程序。该应用程序有一个登录表单。还有一个注册表单,可以使用 bcrypt.net 在存档中输入新密码,如本站所示:

http://derekslager.com/blog/posts/2007/10/bcrypt-dotnet-strong-password-hashing-for-dotnet-and-mono.ashx

这是我注册新用户的代码(公共程序Clean用于清理表单):

 Private Sub btSignUp_Click(sender As Object, e As EventArgs) Handles btSignUp.Click
dim hash as string
        hash = HashPassword(txConfirmPass.Text)
        If (txPass.Text <> txConfirmPass.Text) Then
            MessageBox.Show("Passwords don't matches")
        Else
            Dim sql As String = "INSERT INTO fusion_login(name,user,password) VALUES (@name,@user,@pass)"
            Using myconnection As MySqlConnection = Connection.getInstance.getConnection()
                Using mycommand As New MySqlCommand()
                    With mycommand
                        .CommandText = sql
                        .CommandType = CommandType.Text
                        .Connection = myconnection
                        .Parameters.Add("@name", MySqlDbType.VarChar).Value = txName.Text
                        .Parameters.Add("@user", MySqlDbType.VarChar).Value = txUser.Text
                        .Parameters.Add("@pass", MySqlDbType.VarChar).Value = hash
                    End With
                    Try
                        myconnection.Open()
                        mycommand.ExecuteNonQuery()
                        If (MessageBox.Show("Do you insert a new user again?", "Register", MessageBoxButtons.YesNo, MessageBoxIcon.Question) = Windows.Forms.DialogResult.Yes) Then 
                            Clean(Me)
                        Else
                            Me.Hide()
                            Login.Show()
                        End If
                    Catch ex As MySqlException
                        MessageBox.Show("Error: " + ex.ToString)
                    Finally
                        myconnection.Close()
                    End Try
                End Using
            End Using
        End If
    End Sub

此代码有效!

现在我正在尝试实现对使用上述过程创建的用户进行身份验证的代码,但我无法让它工作。这是我到目前为止所拥有的: 

      Private Sub btLogin_Click(sender As Object, e As EventArgs) Handles btLogin.Click
Dim hash as String
hash = HashPassword(txPass.text)
                Dim sql As String = "SELECT  user,password FROM fusion_login WHERE user = @user AND password = @pass"
                Using myconnection As MySqlConnection = Connection.getInstance.getConnection()
                    Using mycommand As New MySqlCommand()
                        With mycommand
                            .CommandText = sql
                            .CommandType = CommandType.Text
                            .Connection = myconnection
                            .Parameters.Add("@user", MySqlDbType.VarChar).Value = txUser.Text
                            .Parameters.Add("@pass", MySqlDbType.VarChar).Value = hash
                        End With
                        Try
    myconnection.Open()
                        myreader = mycommand.ExecuteReader
                        If myreader.HasRows = 0 Then
                            Me.Hide()
                            FusionPrincipal.Show()
                        Else
                            MessageBox.Show("Error", "Login", MessageBoxButtons.OK, MessageBoxIcon.Warning)
                            txUser.Focus()
                        End If

                        Catch ex As MySqlException
                            MessageBox.Show("Error: " + ex.ToString)
                        Finally
                            myconnection.Close()
                            myreader.Close()
                        End Try
                    End Using
                End Using

我不确定我是否输入了错误的密码,或者在登录时比较了错误的用户名/密码。这里可能是什么问题?

4

2 回答 2

1

问题是这一行:

If myreader.HasRows = 0 Then

在这段代码中,myreader.HasRows是布尔值,但是0是一个整数。要进行这种比较,0必须首先将值隐式转换为布尔值。转换0为布尔值会导致False. If这意味着只有在数据读取器没有返回任何结果时,代码才会进入该块。我相信这与你想要发生的相反。相反,只需这样做:

If myreader.HasRows = True Then

或者,甚至更好:

If myreader.HasRows Then

当我在这里时,仅仅散列密码是不够的。您还需要为每个用户设置一个盐值,并在创建哈希之前将其与密码结合起来。当您对用户进行身份验证时,您会检索该用户名的盐,将其与提供的密码结合起来,然后将其与结果进行比较。密码比较代码应该更像这样:

Public Function AuthenticateUser(ByVal Username As String, ByVal Password As String) As Boolean
    Dim sql As String = "SELECT  user,password,salt FROM fusion_login WHERE user = @user"
    Using myconnection As MySqlConnection = Connection.getInstance.getConnection(), _
          mycommand As New MySqlCommand(sql, myconnection)

        Try
            mycommand.Parameters.Add("@user", MySqlDbType.VarChar).Value = Username
            myconnection.Open()
            Using rdr As MySqlDataReader = mycommand.ExecuteReader()
                If Not rdr.Read() Then Return False
                Return HashPassword(Password, rdr("salt")).Equals(rdr("password"))
            End Using
        Catch 'You probably want to do more here, but "Return False" was enough for this quick example
             Return False
        End Try
    End Using
End Function

当然,您还需要更新HashPassword()函数以允许附加参数、首先生成盐的插入代码以及存储值的数据库表空间。

还有一件事……即使这也不完全正确。如果你真的想把它做对,你需要确保明文密码只在内存中使用SecureString对象保存。

于 2015-03-23T01:44:52.140 回答
1

已找到此案例的解决方案:

If mydatareader.Hasrows Then
   While mydatareader.Read
       If (Bcrypt.Net.Bcrypt.Verify(txtPassword.text, mydatareader.Item("password"))) then
           MsgBox("Valid Credentials")
       else
           MsgBox("Invalid Credentials")
       End if
   End While
  mydatareader.Close()
End If
于 2016-03-07T22:01:27.913 回答