你好, 首先我想告诉你,我是CSharp的新手,这就是为什么我不知道我用MySQL创建连接的方式是错误的,所以因为这个,我必须用Prepared Statement来修改它。请善待!使用MySQL的CSharp Prepared Statement不起作用
这是我试图使它工作的方法。
[HttpPost]
public ActionResult ValidatesLogin (User eUser)
{
var Email = eUser.Email;
var Password = eUser.Password;
try
{
MySqlCommand cmd = MySqlConn.cmd;
cmd = new MySqlCommand(" from User " + "WHERE [email protected] " + "AND [email protected]",
MySqlConn.conn);
cmd.Prepare();
cmd.Parameters.AddWithValue("@email", username);
cmd.Parameters.AddWithValue("@password", password);
int result = (int)cmd.ExecuteReader();
//encrypting the login user password
//the encrypter and decrypter must have same key which is 'kahat' below
var encryptpassword = EncryptHelper.EncryptString(eUser.Password, "kahat");
// Returns true when username and password match:
if (result > 0)
{
System.Web.Security.FormsAuthentication.SetAuthCookie(eUser.Email, false);
return RedirectToAction("Index", "Index", new { area = "Index" });
}
else
{
TempData["Message"] = "Login failed. Email or password supplied doesn't exist.";
return View("Index");
}
}
catch (Exception ex)
{
return ThrowJsonError(ex);
}
}
而这下面的代码是我这工作得非常好实际的连接。
[HttpPost]
public ActionResult Validate(User eUser)
{
try
{
//Pull email and password from login page
var Email = eUser.Email;
var Password = eUser.Password;
//Pull first email and password from database
var currentUser = this.rpGeneric.Find<User>(" from User WHERE Email=:email ", new string[] { "email" }, new object[] { Email }).FirstOrDefault();
//encrypting the login user password
//the encrypter and decrypter must have same key which is 'kahat' below
var encryptpassword = EncryptHelper.EncryptString(eUser.Password, "kahat");
//Comparing user password in login page and current password in db
if (currentUser != null && encryptpassword.Equals(currentUser.Password, StringComparison.Ordinal) && currentUser.EmailConfirmed == true)
{
System.Web.Security.FormsAuthentication.SetAuthCookie(eUser.Email, false);
return RedirectToAction("Index", "Index", new { area = "Index" });
}
else
{
TempData["Message"] = "Login failed. Email or password supplied doesn't exist.";
return View("Index");
}
}
catch (Exception ex)
{
return ThrowJsonError(ex);
}
}
切勿将密码以纯文本形式存储在数据库中!您的问题表明您正在这样做,因为您将用户输入直接与您的查询进行比较。 https://stackoverflow.com/questions/1054022/best-way-to-store-password-in-database –
**不要以纯文本**存储密码或加密密码,当攻击者获取数据库时,他也会获取加密密钥。仅仅使用散列函数是不够的,只是添加盐对提高安全性没有多大作用。使用随机盐在HMAC上迭代大约100毫秒的持续时间,并用散列表保存盐。使用诸如'ehash','PBKDF2','Bcrypt','passlib.hash'或类似函数的函数。关键是要让攻击者花费大量时间通过强力查找密码。 – zaph
非常感谢你 –