用戶名和用戶密碼驗證功能

Question

我不敢使用用戶表單數據來查詢用戶登錄數據庫，因爲公司只有20名員工，我在想這個功能，但我不確定這是否仍然是易代碼破解任何沒有這麼好的黑客用戶

Private Function VerifyCredentials(ByVal User As String, ByVal Password As String) As Boolean 


    Dim verification As Boolean = False 
    Dim _conString As String = WebConfigurationManager.ConnectionStrings 
("YounnectionString").ConnectionString 

    'Initialize connections variables 
    Dim cnn As New SqlConnection(_conString) 
    Dim cmd As New SqlCommand 
    cmd.Connection = cnn 
    cnn.Open() 

    'No data from the form are used on the SQL Server 
    cmd.CommandText = "Select UserName, UserPassword from tblUsers;" 

    Dim cmdReader As SqlDataReader = cmd.ExecuteReader() 

    'compare the data from the server with the data from the form, it so not matter what the user send from the form 
    While cmdReader.Read() 
     If Trim(User) = Trim(cmdReader("UserName")) 
     AndAlso Trim(Password) = Trim(cmdReader("UserPassword")) Then 
      verification = True 
     End If 
    End While 
    ' this method may result on performance problems if your tblUsers is too big, 
'afther all it is the entrance and most of the companies 
'just has several hundred users 
    cmdReader.Close() 
    cmd.CommandText = "" 
    cnn.Close() 

    Return verification 

End Function 

請有人檢查這個代碼給我更好的解決方案，該公司是黑客的人與開發商被解僱了。我不知道安全性，但他們想聘請專家解決方案。感謝

Answer 1

你只是存儲明文密碼。一旦數據庫被破壞，你沒有時間通知用戶。

您需要存儲帶鹽的散列密碼。雖然它仍然可以被破解（這需要很多時間），但您仍然需要通知用戶更改密碼。

對於ASP.Net，最簡單的方法將使用

1. ASP.NET Universal Providers或
2. ASP.NET Identity

Answer 2

使用它

介紹ASP.NET身份 - 會員制爲ASP.NET應用程序

http://blogs.msdn.com/b/webdev/archive/2013/06/27/introducing-asp-net-identity-membership-system-for-asp-net-applications.aspx

Answer 3

讓數據庫過濾器爲您服務。 查詢更改爲

"Select UserName, UserPassword from tblUsers 
WHERE UserName = " & Trim(User) & " AND UserPassword = " & Trim(Password) 

然後，如果有一些結果驗證是正確的，如果沒有結果，obviusly你必須返回false，所以根本就

Return cmdReader.Read()