如何加密密码并将其保存在SQL Server数据库中

时间:2013-05-09 09:02:26

标签: sql-server c#-4.0 login

在我的项目中,用户登录后必须在登录时更改默认密码,并且该密码将存储在数据库中我要加密用户在更改密码页面中输入的密码并将其存储在数据库和重新登录该用户期间我想加密在登录页面输入的密码和使用数据库中保存的密码检查或获取解密的加密密码和使用输入密码检查解密密码我该怎么做我的更改密码是,

SqlConnection con = new SqlConnection(@"Data Source=ESLHPC17\SQL2008;Initial Catalog=Eval;User ID=;Password=");
try
{
    string Qry = "Select Password from passtable where Password='" + CurrentPassword.Text + "'";
    string qry = "Select Password from passtable";
    SqlCommand cmd = new SqlCommand(Qry, con);
    SqlCommand cmd1 = new SqlCommand(qry, con);
    con.Open();
    SqlDataAdapter da = new SqlDataAdapter(cmd);
    SqlDataAdapter daa = new SqlDataAdapter(cmd1);
    DataTable dt = new DataTable();
    DataTable dtt = new DataTable();
    da.Fill(dt);
    daa.Fill(dtt);
    if (dtt.Rows[0]["Password"].ToString() == CurrentPassword.Text)
    {
        string strqry = "Update Passtable Set Password='" + EncryptString(NewPassword.Text) + "'";
        SqlCommand comd = new SqlCommand(strqry, con);
        comd.ExecuteNonQuery();
        Label1.Visible = true;
        Button1.Visible = true;
        ChangeButton.Enabled = false;
    }
    else
    {
        lblMessage.Visible = true;
        lblMessage.ForeColor = System.Drawing.Color.Red;
        lblMessage.Text = "Current Password and Entered Password did not Match !!!";
    }
}
finally
{
  con.Close();
  con.Dispose();
}

使用SQL INJECTION检测编辑的代码 

using (SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["EvalCon"].ConnectionString)) 
{
    try
    {
        string Qry = "Select Password from passtable where Password='" + CurrentPassword.Text + "'";
        string qry = "Select Password from passtable";
        if (CurrentPassword.Text != "Select" && CurrentPassword.Text != "Create Table" && CurrentPassword.Text != "Update" && CurrentPassword.Text != "Delete" && CurrentPassword.Text != "Truncate" && CurrentPassword.Text != "Drop Table" && CurrentPassword.Text != "Insert" && CurrentPassword.Text != "@")
        {
            if (NewPassword.Text != "Select" && NewPassword.Text != "Create Table" && NewPassword.Text != "Update" && NewPassword.Text != "Delete" && NewPassword.Text != "Truncate" && NewPassword.Text != "Drop Table" && NewPassword.Text != "Insert" && NewPassword.Text != "@")
            {
                using (SqlCommand cmd = new SqlCommand(Qry, con))
                {
                    using (SqlCommand cmd1 = new SqlCommand(qry, con))
                    {
                        con.Open();
                        SqlDataAdapter da = new SqlDataAdapter(cmd);
                        SqlDataAdapter daa = new SqlDataAdapter(cmd1);
                        DataTable dt = new DataTable();
                        DataTable dtt = new DataTable();
                        da.Fill(dt);
                        daa.Fill(dtt);
                        if (dtt.Rows[0]["Password"].ToString() == CurrentPassword.Text)
                        {
                            string strqry = "Update Passtable Set Password='" + NewPassword.Text + "'";
                            SqlCommand comd = new SqlCommand(strqry, con);
                            comd.ExecuteScalar()

                            Label1.Visible = true;
                            Button1.Visible = true;
                            ChangeButton.Enabled = false;
                        }
                        else
                        {
                            lblMessage.Visible = true;
                            lblMessage.ForeColor = System.Drawing.Color.Red;
                            lblMessage.Text = "Current Password and Entered Password did not Match !!!";
                        }
                    }
                }
            }
            else
            {
                lblMessage.Visible = true;
                lblMessage.ForeColor = System.Drawing.Color.Red;
                lblMessage.Text = "SQL INJECTION Breach you Can't Continue!!!";
                CurrentPassword.Enabled = false;
                NewPassword.Enabled = false;
                ConfirmNewPassword.Enabled = false;
            }
        }
        else
        {
            lblMessage.Visible = true;
            lblMessage.ForeColor = System.Drawing.Color.Red;
            lblMessage.Text = "SQL INJECTION Breach you Can't Continue!!!";
            CurrentPassword.Enabled = false;
            NewPassword.Enabled = false;
            ConfirmNewPassword.Enabled = false;
        }
    }
    finally
    {
        con.Close();
        con.Dispose();
    }
}

2 个答案:

答案 0 :(得分:4)

永远不要使用用户输入附加到SQL文本。您的代码容易受到SQL注入攻击。使用参数。立即阅读SQL Injection

  1. 不要将密码存储在数据库中,甚至是加密的。存储salted hash。存储加密密码是一种安全错觉,因为您将获得解密密码所需的密钥管理错误。您还谈到了比较加密密码,这又是错误的,这意味着您不知道如何在加密中正确使用random IV
  2. 学习使用using() {...} blocks
  3. 了解connection strings
    4. 使用appsetings / websettings
  4. 学习使用ExecuteScalar

答案 1 :(得分:0)

您可以使用在要检查Text时调用的类来简化SQLSyntax检查的检查。

class SQLSyntaxCheck
{
    internal static bool CheckSyntax ( string Text )
    {
        if (Text != "Select" && Text != "Create Table" && Text != "Update" && Text != "Delete" && Text != "Truncate" && Text != "Drop Table" && Text != "Insert" && Text != "@")
            return true;
        else return false;

    }}

您可以通过SQLSyntaxCheck.CheckSyntax(textbox1.Text.ToString())或任何方法调用它。

相关问题
最新问题