我害怕使用用户表单数据查询数据库以进行用户登录,因为该公司只有20名员工,我正在考虑这个功能,但我不确定这是否仍然是一个容易破解的代码任何没有这么好的黑客用户
Private Function VerifyCredentials(ByVal User As String, ByVal Password As String) As Boolean
Dim verification As Boolean = False
Dim _conString As String = WebConfigurationManager.ConnectionStrings
("YounnectionString").ConnectionString
'Initialize connections variables
Dim cnn As New SqlConnection(_conString)
Dim cmd As New SqlCommand
cmd.Connection = cnn
cnn.Open()
'No data from the form are used on the SQL Server
cmd.CommandText = "Select UserName, UserPassword from tblUsers;"
Dim cmdReader As SqlDataReader = cmd.ExecuteReader()
'compare the data from the server with the data from the form, it so not matter what the user send from the form
While cmdReader.Read()
If Trim(User) = Trim(cmdReader("UserName"))
AndAlso Trim(Password) = Trim(cmdReader("UserPassword")) Then
verification = True
End If
End While
' this method may result on performance problems if your tblUsers is too big,
'afther all it is the entrance and most of the companies
'just has several hundred users
cmdReader.Close()
cmd.CommandText = ""
cnn.Close()
Return verification
End Function
请有人检查一下此代码,并给我更好的解决方案,这家公司是黑客的,开发人员被解雇了。我不了解安全性,但他们想聘请专家时需要解决方案。感谢
答案 0 :(得分:0)
您只是存储纯文本密码。一旦您的数据库遭到入侵,您就没有时间通知用户。
您需要使用salt存储哈希密码。虽然,它仍然可以被破解(需要时间),但你仍然有时间通知用户更改密码。
对于ASP.Net,最简单的方法是使用
答案 1 :(得分:0)
让数据库为您过滤。 将查询更改为
"Select UserName, UserPassword from tblUsers
WHERE UserName = " & Trim(User) & " AND UserPassword = " & Trim(Password)
然后,如果有一些结果认证是正确的,如果没有结果,显然你必须返回false,所以只需做
Return cmdReader.Read()
答案 2 :(得分:-1)
使用它
ASP.NET身份介绍 - ASP.NET应用程序的成员资格系统