Question

我今年正在为C＃（学校）做最后的项目，我承诺上次我在这个网站上得到帮助，我会确保我的SQL安全，我会让我的应用程序安全。有人可以查看我的登录屏幕并告诉我这是否是一种正确而安全的方式？

我首先通过Program.cs打开我的主mdiContainer：

private void Form1_Load(object sender, EventArgs e)
    {
        fL.ShowDialog();
    }

然后此登录表单显示：

string User = txtUser.Text;
        string Pw = txtPw.Text;
        int Correct = clDatabase.login(User, Pw);

        if (Correct == 1)
        {
            this.Hide();
        }
        else
        {
            MessageBox.Show("De gegevens die u heeft ingevult kloppen niet", "Fout!"); //Above means your input is not correct
        }

在clDatabase.login

中

public static int login(string GebruikersnaamI, string WachtwoordI)
    {
        int correct = 0;
        SqlConnection Conn = new SqlConnection(clStam.Connstr);
        Conn.Open();
        using (SqlCommand StrQuer = new SqlCommand("SELECT * FROM gebruiker WHERE usernm=@userid AND userpass=@password", Conn))
        {
            StrQuer.Parameters.AddWithValue("@userid", GebruikersnaamI);
            StrQuer.Parameters.AddWithValue("@password", WachtwoordI);
            SqlDataReader dr = StrQuer.ExecuteReader();
            if (dr.HasRows)
            {
                correct = 1;
                MessageBox.Show("loginSuccess");
            }
            else
            {
                correct = 2;
                //invalid login
            }
        }
        Conn.Close();
        return correct;
    }

loginsucces的对话框仅用于调试目的atm 这样安全吗？这是登录表单的正确方法吗？

编辑更新的代码登录表单：

private void button1_Click(object sender, EventArgs e)
    {
        ErrorProvider EP = new ErrorProvider();

        if (txtUser.Text == string.Empty || txtPw.Text == string.Empty)
        {
            if (txtUser.Text == string.Empty)
                txtUser.BackColor = Color.Red;
            if (txtPw.Text == string.Empty)
                txtPw.BackColor = Color.Red;

            MessageBox.Show("Er moet wel iets ingevuld zijn!", "Fout");
        }
        else
        {
            string User = txtUser.Text;
            string Pw = txtPw.Text;
            Boolean Correct = clDatabase.login(User, Pw);

            if (Correct == true)
            {
                this.Hide();
            }
            else
            {
                MessageBox.Show("Deze combinatie van username en password is niet bekend", "Fout!");
            }
        }
    }

clDatabase:
public static Boolean login(string GebruikersnaamI, string WachtwoordI)
    {
        Boolean correct = false;
        using (SqlConnection Conn = new SqlConnection(clStam.Connstr))
        {
            Conn.Open();
            using (SqlCommand StrQuer = new SqlCommand("SELECT * FROM gebruiker WHERE usernm=@userid AND userpass=@password", Conn))
            {
                StrQuer.Parameters.AddWithValue("@userid", GebruikersnaamI);
                StrQuer.Parameters.AddWithValue("@password", WachtwoordI);
                using (SqlDataReader dr = StrQuer.ExecuteReader())
                {
                    if (dr.HasRows)
                    {
                        correct = true;
                    }
                    else
                    {
                        correct = false;
                        //invalid login
                    }
                }
            }
            Conn.Close();
        }
        return correct;
    }

Answer 1

就SQL注入而言，它是安全的，因为您传递参数。但，不要将密码存储为纯文本，而是存储其哈希值。

请参阅：How to securely save username/password (local)?

C＃登录表格安全/正确吗？

1 个答案: