我正在开发一个需要登录表单的C#应用程序,用户和密码保存在SQL Server数据库中。
我使用CodePass函数对密码进行编码,我之前已将用户及其编码密码添加到我的数据库中(用户,密码和登录角色保存在数据库中)
现在当我像这样调用我的doLogin函数时
doLogin("Arashdn","123");
它返回0(错误的用户或密码)
调试应用程序后,我发现hash(一个保持加密密码从数据库中读取的变量)持有123未加密的密码。
问题是什么?
这是我的代码:
public class DB
{
public static string constr = "Server=localhost;Database=University;
Integrated Security=true;MultipleActiveResultSets=True;";
public static string userTable = "Users", userPassword = "Passwd",
userName = "UserID", loginRole = "Role";
}
public class login
{
public int doLogin(string user, string pass)
{
string role="0";
SqlConnection conn = new SqlConnection(DB.constr);
try
{
conn.Open();
SqlCommand my_cm = conn.CreateCommand();
SqlDataReader dbread1;
my_cm.CommandText = "Select " + DB.userPassword + " from " +
DB.userTable + " WHERE " + DB.userName + "=" + user;
dbread1 = my_cm.ExecuteReader();
string hash="";
while (dbread1.Read())
{
hash = dbread1[0].ToString();
}
if (CodePass(user, pass) == hash)
{
SqlCommand my_cm2 = conn.CreateCommand();
SqlDataReader dbread2;
my_cm2.CommandText = "Select " + DB.loginRole + " from " +
DB.userTable + " WHERE " + DB.userName + "=" + user;
dbread2 = my_cm2.ExecuteReader();
while (dbread2.Read())
{
role = dbread2[0].ToString();
}
}
}
catch (Exception ex)
{
throw ex;
}
finally
{
if (conn.State == System.Data.ConnectionState.Open)
conn.Close();
}
return int.Parse(role);
}
public string CodePass(string user, string pass)
{
System.Security.Cryptography.SHA1CryptoServiceProvider sha =
new SHA1CryptoServiceProvider();
return System.Text.Encoding.ASCII.GetString(
sha.ComputeHash(System.Text.Encoding.ASCII.GetBytes(user + pass)));
}
}
由于
答案 0 :(得分:2)
可能的情况是,您在数据库中至少有2条与用户名匹配的记录,其中一条记录的密码为“123”。
从SqlManager看看以下是什么结果,记得替换用户名:
select userID,passwd from Users where userId= '<put the username here>';
可以重写现有代码以使用SqlParameters来避免一些Sql注入攻击并正确处理您的对象。此外,大多数逻辑可以移动到单个数据库查询,如下所示。
如果用户和密码不正确,此修改将返回0。您可以抛出异常或返回另一个值。
public class DB
{
public static string constr = "Server=localhost;Database=University; Integrated Security=true;MultipleActiveResultSets=True;";
public static string userTable = "Users", userPassword = "Passwd",
userName = "UserID", loginRole = "Role";
}
public class login
{
public int doLogin(string user, string pass)
{
string role="0";
using (var conn = new SqlConnection(DB.constr) {
using (var my_cm = conn.CreateCommand() {
my_cm.CommandText = string.Format(
"select {0} from {1} where {2} = @username and {3} = @password",
DB.loginRole,
DB.userTable,
DB.userName,
DB.userPassword);
my_cm.Parameters.AddWithValue("@username", user);
mt_cm.Parameters.AddWithValue("@password", CodePass(user,pass));
using (var dbread = my_cm.ExecuteReader()) {
if (!dbread.Read()) {
return 0; // or something else if user not found
}
return int.Parse(dbRead[0].ToString());
}
}
}
}
public string CodePass(string user, string pass)
{
System.Security.Cryptography.SHA1CryptoServiceProvider sha =
new SHA1CryptoServiceProvider();
return System.Text.Encoding.ASCII.GetString(
sha.ComputeHash(System.Text.Encoding.ASCII.GetBytes(user + pass)));
}
}
答案 1 :(得分:1)
基于:
After debuging application I find that hash(a variable to keep encrypted password red from database) is holding 123 not encrypted password.
我建议您查看数据库,并将您的PW字段中的PW从123更改为#<=??D?mB?MyE??C?,因为您的数据库只保存了它所获得的数据,而且看起来您已保存{ {1}}代替123
和你的赞扬:
#<=??D?mB?MyE??C?
没有意义,因为您的数据库无法使用此查询解密
如果
CodePass returns encrypted password , and password is saved encryptedly in DB but hash is keeping unecrypted password
是真的,请检查以下内容:
答案 2 :(得分:0)
我发现了问题 我的计算机上有sql server express和开发人员版本,我在SQLServer Developer中有另一个数据库,其中passwd是123,我的主要数据库是SQLServer Express ......
傻傻的我