1. 首頁
  2. 問答
  3. 拆分用戶名和密碼憑證

拆分用戶名和密碼憑證

2012-06-29 81 views
0

我已在用戶通過前端登錄的應用程序的後端創建了以下WebMethod拆分用戶名和密碼憑證

[WebMethod] 
    public String Login(String userName, String password) 
    { 

      OleDbConnection connect = new OleDbConnection(connection); 
      connect.Open(); 
      OleDbCommand command = new OleDbCommand("Select * from login where userName='" + userName + "' and password ='" + password + "'", connect); 
      command.CommandType = CommandType.Text; 
      OleDbDataAdapter adapter = new OleDbDataAdapter(); 
      adapter.SelectCommand = command; 
      DataSet NSNSet = new DataSet(); 
      adapter.Fill(NSNSet); 

      string username = NSNSet.Tables[0].Rows[0]["firstName"].ToString() + NSNSet.Tables[0].Rows[0]["lastName"].ToString(); 

      int userID = System.Convert.ToInt16(NSNSet.Tables[0].Rows[0]["UID"].ToString()); 

      return username + "," + userID; 


    }

目前,我有錯誤處理以代替陳述 -

catch(Exception ex) 
      { 
       string error = System.Convert.ToString(ex); 
       if (error.Contains("There is no row at position 0")) 
       { 
        status.Text = "Incorrect Username/Password combination"; 
       } 
      }

這工作得很好,但我怎麼可能aulter我的代碼,以便它帶回一個更具體的錯誤,即國家如果userNamepassword具體是不正確的?

來源

2012-06-29 Ebikeneser

+3

問題1:打開sql注入;問題2:密碼似乎以純文本形式存儲;問題3:檢查「無記錄」 *之前*您訪問的行0 –

+4

通常,你不想給比「無效組合」更多詳細資料(OK,這樣的「管理員」賬戶存在現在讓我們嘗試輸入密碼?!) –

回答

2

你應該這樣做:

public String Login(String userName, String password) 
    { 
     OleDbConnection connect = new OleDbConnection(connection); 
     connect.Open(); 

     OleDbCommand command = new OleDbCommand("Select UID, firstName, lastName from login where userName=? and password =?", connect); 
     command.CommandType = CommandType.Text; 

     //to avoid sql injection 
     command.Parameters.Add(userName); 
     command.Parameters.Add(password); 

     OleDbDataAdapter adapter = new OleDbDataAdapter(); 
     adapter.SelectCommand = command; 
     DataSet NSNSet = new DataSet(); 
     adapter.Fill(NSNSet); 

     if (NSNSet.Tables[0].Rows.Count == 0) 
      return "Access denied"; 

     string username = NSNSet.Tables[0].Rows[0]["firstName"].ToString() + NSNSet.Tables[0].Rows[0]["lastName"].ToString(); 
     int userID = int.Parse(NSNSet.Tables[0].Rows[0]["UID"].ToString()); 
     return username + "," + userID; 
    }

或者更好的方法,使用DataReader進行性能分析:

public String Login(String userName, String password) 
    { 

     OleDbConnection connect = new OleDbConnection(connection); 
     connect.Open(); 

     OleDbCommand command = new OleDbCommand("Select UID, firstName, lastName from login where userName=? and password =?", connect); 
     command.CommandType = CommandType.Text; 

     //to avoid sql injection 
     command.Parameters.Add(userName); 
     command.Parameters.Add(password); 

     OleDbDataReader reader=command.ExecuteReader(); 
     if (reader.Read()) 
     { 
      //that means there's at least one row 
      string username = reader["firstName"] + " " + reader["lastName"]; 
      int userID = int.Parse(reader["UID"].ToString()); 
      return username + "," + userID; 
     } 
     else 
     { 
      //no combination username-password found 
      return "Access denied"; 
     } 
    }

來源

2012-06-29 11:21:22

1

首先,此代碼對SQL注入開放。第二,如果你想知道具體是哪個元素是不正確,你有你的查詢分解成兩個部分(即查詢用戶名和密碼分開)

來源

2012-06-29 10:48:17 StaWho

3

不要得多細節給出了,只給一個簡單的登錄錯誤消息,但不要說用戶名不正確或密碼不正確,導致黑客可以利用這些信息

一個簡單的文本稱登錄失敗的應該是確定

來源

2012-06-29 10:48:40 JohnnBlade

1

你可以改變你的選擇查詢一點點對此:

"select * from login where userName='"+userName+"'";

如果在DataSet中沒有行再寫入

Invalid UserName

,如果用戶存在,則檢查是否密碼匹配與否,如果不匹配,則寫

Invalid Password

來源

2012-06-29 10:52:43

相關問題

 相關問題