我已经使用哈希与salt进行密码。在我实现哈希之前,我有一个存储过程,用于检查文本框值与数据库中的值,代码工作正常。虽然密码不匹配,但实现哈希后,我检查了我输入的数据库和密码中的哈希值,两者都是相同的。我在谷歌中查找并且有人建议在数据库中手动输入密码值将导致问题。所以我创建了一个用户注册表并在那里散列密码并将其存储在数据库中。任何人都可以指导我哪里出错了。
我的登录页码:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Configuration;
using System.Data.SqlClient;
using System.Data;
using System.Security.Cryptography;
namespace taxiservices
{
public partial class adminlogin : System.Web.UI.Page
{
String Salt;
String Hash;
String Pwd;
protected void Page_Load(object sender, EventArgs e)
{
}
public string SaltedHash(string password)
{
Salt = "salthashtestsalthashtestsalthashtestsalthashtestsalthashtestsalthashtestsalthashtestsalthashtest";
Hash = ComputeHash(Salt, password);
return Hash;
}
static string ComputeHash(string salt, string password)
{
var saltBytes = Convert.FromBase64String(salt);
using (var rfc2898DeriveBytes = new Rfc2898DeriveBytes(password, saltBytes, 1000))
return Convert.ToBase64String(rfc2898DeriveBytes.GetBytes(256));
}
public static bool Verify(string salt, string hash, string password)
{
return hash == ComputeHash(salt, password);
}
protected void Button1_Click(object sender, EventArgs e)
{
Session["username"] = username.Text.ToString();
Pwd=SaltedHash(password.Text.ToString());
Response.Write(Pwd);
string query;
string ConnectionStringnew = ConfigurationManager.ConnectionStrings["ConnectionStringName"].ConnectionString;
using (SqlConnection con = new SqlConnection(ConnectionStringnew))
{
query = "Emplogin"; //stored procedure Name
SqlCommand com = new SqlCommand(query, con);
com.CommandType = CommandType.StoredProcedure;
com.Parameters.AddWithValue("@Usename", username.Text.ToString()); //for username
com.Parameters.AddWithValue("@Password",Pwd); //for password
con.Open();
int usercount = (Int32)com.ExecuteScalar();// for taking single value
con.Close();
if (usercount == 1) // comparing users from table
{
Session["user"] = "valid";
Response.Redirect("adminhomepage.aspx"); //for sucsseful login
}
else
{
Label2.Text = "Invalid User Name or Password"; //for invalid login
}
}
}
protected void username_TextChanged(object sender, EventArgs e)
{
}
}
}
用户创建密码的页面:
using System;
using System.Collections.Generic;
using System.Configuration;
using System.Data.SqlClient;
using System.Linq;
using System.Security.Cryptography;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
namespace taxiservices
{
public partial class changepassword : System.Web.UI.Page
{
String Salt;
String Hash;
protected void Page_Load(object sender, EventArgs e)
{
}
protected void TextBox2_TextChanged(object sender, EventArgs e)
{
}
public string SaltedHash(string password)
{
Salt="salthashtestsalthashtestsalthashtestsalthashtestsalthashtestsalthashtestsalthashtestsalthashtest";
Hash = ComputeHash(Salt, password);
return Hash;
}
static string ComputeHash(string salt, string password)
{
var saltBytes = Convert.FromBase64String(salt);
using (var rfc2898DeriveBytes = new Rfc2898DeriveBytes(password, saltBytes, 1000))
return Convert.ToBase64String(rfc2898DeriveBytes.GetBytes(256));
}
protected void Button1_Click(object sender, EventArgs e)
{
string Pwd = SaltedHash(TextBox2.Text);
string ConnectionStringn = ConfigurationManager.ConnectionStrings["ConnectionStringName"].ConnectionString;
using (SqlConnection con = new SqlConnection(ConnectionStringn))
{
using (SqlCommand cmd = new SqlCommand("INSERT INTO Users(Username,Password) VALUES(@User,@password)"))
{
cmd.Connection = con;
cmd.Parameters.AddWithValue("@User", TextBox3.Text);
cmd.Parameters.AddWithValue("@password", Pwd);
con.Open();
cmd.ExecuteNonQuery();
con.Close();
}
}
}
}
}
存储过程:
Create procedure Emplogin
(
@Usename Varchar (20),
@Password varchar (10)
)
as
Begin
Select COUNT(*)from Users where username=@Usename and password=@Password
End
答案 0 :(得分:0)
当您将详细信息传递给您Emplogin存储过程时,它只获取您的盐渍密码的前10个字符(它会截断其他246个字符)。当它针对您的Users数据库检查这个十个字符的字符串时,它找不到匹配项。
您应该调整Emplogin程序,以使@Password变量的长度与password表格中Users列的长度相匹配。