0

注册后,我试图在 asp.net 中使用 scrypt 在数据库中对用户密码进行哈希处理,但是当我尝试登录时,我不知道如何将用户密码与数据库中的哈希值进行比较.

谁能帮我弄清楚如何将密码与散列密码进行比较?

对于注册我使用:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.SqlClient;
using System.Configuration;
using System.Drawing;
using System.Security.Cryptography;
using Scrypt;

namespace WebApplication1
{
    public partial class SignUp : System.Web.UI.Page
    {
        protected void Page_Load(object sender, EventArgs e)
        {


        }



        protected void btSignup_Click(object sender, EventArgs e)
        {
            if (tbUname.Text != "" & tbPass.Text != "" && tbName.Text != "" && tbEmail.Text != "" && tbCPass.Text != "")
            {
                if (tbPass.Text == tbCPass.Text)
                {
                    String CS = ConfigurationManager.ConnectionStrings["MyDatabaseConnectionString1"].ConnectionString;
                    using (SqlConnection con = new SqlConnection(CS))
                    {
                        ScryptEncoder encoder = new ScryptEncoder();
                        string hashsedPassword = encoder.Encode(tbPass.Text);
                        SqlCommand cmd = new SqlCommand("insert into Users values('" + tbUname.Text + "','" + hashsedPassword + "','" + tbEmail.Text + "','" + tbName.Text + "')", con);
                        con.Open();
                        cmd.ExecuteNonQuery();

                        lblMsg.Text = "Registration Succesfull";
                        lblMsg.ForeColor = Color.Green;
                        Response.Redirect("~/SignIn.aspx");
                    }
                }
                else { lblMsg.Text = "Passwords do not match"; }
            }

            else
            {
                lblMsg.ForeColor = Color.Red;
                lblMsg.Text = "All Fields are Mandatory";

            }
        }

        protected void Button1_Click(object sender, EventArgs e)
        {

            SqlConnection con1 = new SqlConnection();
            con1.ConnectionString = @"Data Source=(LocalDB)\v11.0;AttachDbFilename=|DataDirectory|\MyDatabase.mdf;Integrated Security=True";
            con1.Open();
            SqlCommand cm1 = new SqlCommand();
            cm1.CommandText = "select * from [Users]where Username=@Uname";
            cm1.Parameters.AddWithValue("@Uname", tbUname.Text);
            cm1.Connection = con1;
            SqlDataReader rd = cm1.ExecuteReader();
            if (rd.HasRows)
            {
                Label1.Visible = true;
                Label1.Text = "Username already exists !";
                Label1.ForeColor = System.Drawing.Color.Red;
            }

            else
            {
                Label1.Visible = true;
                Label1.Text = "Username is available !";
                Label1.ForeColor = System.Drawing.Color.Green;
            }
        }
    }
}

并登录:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.SqlClient;
using System.Configuration;
using System.Data;

namespace WebApplication1
{
    public partial class SignIn : System.Web.UI.Page
    {
        protected void Page_Load(object sender, EventArgs e)
        {

        }


        protected void Button1_Click(object sender, EventArgs e)
        {
            String CS = ConfigurationManager.ConnectionStrings["MyDatabaseConnectionString1"].ConnectionString;
            using (SqlConnection con = new SqlConnection(CS)) {
                SqlCommand cmd= new SqlCommand("select * from Users where Username='"+ Username.Text+"' and Password='"+Password.Text+"'" , con);
                con.Open();
                SqlDataAdapter sda = new SqlDataAdapter(cmd);
                DataTable dt = new DataTable();
                sda.Fill(dt);
                if (dt.Rows.Count != 0)
                {
                    Session["USERNAME "] = Username.Text;
                    Response.Redirect("~/UserHome.aspx"); }
                else {
                    lblError.Text = "Invalid Username or Password !";

                }
            }
        }
    }
}
4

1 回答 1

0

Scrypt.NET为您处理输入的密码和现有哈希的比较。文档页面显示:

ScryptEncoder encoder = new ScryptEncoder();

bool areEquals = encoder.Compare("mypassword", hashedPassword);

在您的情况下,这意味着您不能使用 SQL 查询中的密码来获取特定用户。您只需要使用给定的来在表Username中找到正确的行。Users

SqlCommand cmd = new SqlCommand("select * from Users where Username=@Username" , con);
cmd.Parameters.Add("@Username", SqlDbType.NVarChar, 255, Username.Text);

con.Open();
SqlDataAdapter sda = new SqlDataAdapter(cmd);
DataTable dt = new DataTable();
sda.Fill(dt);
if (dt.Rows.Count != 0) {
    ScryptEncoder encoder = new ScryptEncoder();

    foreach(DataRow row in dt.Rows)
    {
        if (encoder.Compare(Password.Text, (string)row["Password"]))
        {
            Session["USERNAME "] = Username.Text;
            Response.Redirect("~/UserHome.aspx");
            return;
        }
    }
} else {
    lblError.Text = "Invalid Username or Password !";
}

始终使用参数化的 SQL 查询。否则,您很容易受到 SQL 注入攻击。

于 2016-05-22T14:47:21.227 回答