我让人们在氏族中提交用户名和密码,然后我需要知道使用此代码将其提交到数据库中是否安全,或者在数据库中是否安全。
MySQLCon.Open() Dim SQLADD As String = "INSERT INTO members(username,password) VALUES(@memberToAdd, @memberPassword)" COMMAND = New MySqlCommand(SQLADD, MySQLCon) COMMAND.Parameters.AddWithValue("@memberToAdd", memberToAdd.Text) COMMAND.Parameters.AddWithValue("@memberPassword", membersPassword.Text) COMMAND.ExecuteNonQuery() MySQLCon.Close() MySQLCon.Dispose()
我使用参数来避免SQL注入攻击。
-------------------------------------------------- --------------------------------
这不是重复的,因为以不同的方式询问和存储密码。它使用MD5哈希密码。
具有基本安全性的密码存储过程非常简单:
如果他们输入了正确的密码,则散列的PW将匹配。散列可以保护用户免受攻击,也可以保护看门人members在显示表格的屏幕旁走动。
members
' salt size is 32 (0-31 Private Const SaltSize As Integer = 31 ... Dim dbPW As String = TextBox1.Text Dim dbSalt = CreateNewSalt(SaltSize) ' eg: "dsEGWpJpwfAOvdRZyUo9rA==" Dim SaltedPWHash As String = GetSaltedHash(dbPW, dbSalt) ' examples: ' using SHA256: bbKN8wYYgoZmNaG3IsQ2DPS2ZPIOnenl6i5NwUmrGmo= ' using SHA512: ' 0vqZWBIbOlyzL25l9iWk51CxxJTiEM6QUZEH1ph+/aNp+lk4Yf8NYv8RLhYtbqCNpOqO3y8BmM+0YWtbAhE+RA=="
将PW哈希和盐存储为用户记录的一部分。盐不是秘密的,但是当用户更改密码时可以更改盐。
' check if PW entered equals DB Dim pwTry = TextBox2.Text ' hash the login attempt using the salt stored in the DB Dim pwLogin = GetSaltedHash(pwTry, dbSalt) ' compare the hash of what they entered to whats in the DB: If String.Compare(SaltedPWHash, pwLogin, False) = 0 Then ' okay! Console.Beep() End If
如果用户输入相同的PW,则应产生相同的哈希,就这么简单。哈希码并不那么复杂:
Private Function GetSaltedHash(pw As String, salt As String) As String Dim tmp As String = pw & salt ' or SHA512Managed Using hash As HashAlgorithm = New SHA256Managed() ' convert pw+salt to bytes: Dim saltyPW = Encoding.UTF8.GetBytes(tmp) ' hash the pw+salt bytes: Dim hBytes = hash.ComputeHash(saltyPW) ' return a B64 string so it can be saved as text Return Convert.ToBase64String(hBytes) End Using End Function Private Function CreateNewSalt(size As Integer) As String ' use the crypto random number generator to create ' a new random salt Using rng As New RNGCryptoServiceProvider ' dont allow very small salt Dim data(If(size < 7, 7, size)) As Byte ' fill the array rng.GetBytes(data) ' convert to B64 for saving as text Return Convert.ToBase64String(data) End Using End Function
System.Guid.NewGuid.ToString
Shared
static
还要注意,肯尼斯(Kenneth)链接的文章值得一读。
请注意,本文提到的 The salt should be stored in the user account table alongside the hash 这并不意味着您必须Salt在数据库中有一列。您可以在链接的文章中看到以下内容:
The salt should be stored in the user account table alongside the hash
Salt
Dim dbPW As String = TextBox1.Text Dim dbSalt = CreateNewSalt(SaltSize) ' get the salted PW hash Dim SaltedPWHash As String = GetSaltedHash(dbPW, dbSalt) ' store salt with the hash: SaltedPWHash = String.Format("{0}:{1}", dbSalt, dbPW) ' salt + ":" + hashed PW now ready to store in the db
要从哈希密码中分离出盐:
Dim SaltAndPWHash = rdr.Item("PWHash").ToString() Dim split = SaltAndPWHash.Split(":"c) ' split on ":" Dim Salt = split(0) ' element(0) == salt Dim StoredPWHash = split(1) ' element(1) == hashed PW
您需要两个部分:在对PW中的尝试登录进行哈希处理之后,将其与进行比较split(1)。
split(1)
