C#登录表单安全/正确
本文关键字:正确 安全 表单 登录 | 更新日期: 2023-09-27 17:59:36
我正在为C#(学校)做今年的最后一个项目,我上次在这个网站上得到帮助时承诺,我会确保我的SQL是安全的,我会保证我的应用程序是安全的。有人能看看我的登录屏幕,告诉我这是否是一种正确和安全的方式吗?
我首先通过Program.cs:打开我的主mdiContainer
private void Form1_Load(object sender, EventArgs e)
{
fL.ShowDialog();
}
然后这个登录表单显示:
string User = txtUser.Text;
string Pw = txtPw.Text;
int Correct = clDatabase.login(User, Pw);
if (Correct == 1)
{
this.Hide();
}
else
{
MessageBox.Show("De gegevens die u heeft ingevult kloppen niet", "Fout!"); //Above means your input is not correct
}
在clDatabase.login 中
public static int login(string GebruikersnaamI, string WachtwoordI)
{
int correct = 0;
SqlConnection Conn = new SqlConnection(clStam.Connstr);
Conn.Open();
using (SqlCommand StrQuer = new SqlCommand("SELECT * FROM gebruiker WHERE usernm=@userid AND userpass=@password", Conn))
{
StrQuer.Parameters.AddWithValue("@userid", GebruikersnaamI);
StrQuer.Parameters.AddWithValue("@password", WachtwoordI);
SqlDataReader dr = StrQuer.ExecuteReader();
if (dr.HasRows)
{
correct = 1;
MessageBox.Show("loginSuccess");
}
else
{
correct = 2;
//invalid login
}
}
Conn.Close();
return correct;
}
登录接受对话框仅用于调试目的这安全吗?这是登录表单的正确方式吗?
EDIT更新的代码登录表单:
private void button1_Click(object sender, EventArgs e)
{
ErrorProvider EP = new ErrorProvider();
if (txtUser.Text == string.Empty || txtPw.Text == string.Empty)
{
if (txtUser.Text == string.Empty)
txtUser.BackColor = Color.Red;
if (txtPw.Text == string.Empty)
txtPw.BackColor = Color.Red;
MessageBox.Show("Er moet wel iets ingevuld zijn!", "Fout");
}
else
{
string User = txtUser.Text;
string Pw = txtPw.Text;
Boolean Correct = clDatabase.login(User, Pw);
if (Correct == true)
{
this.Hide();
}
else
{
MessageBox.Show("Deze combinatie van username en password is niet bekend", "Fout!");
}
}
}
clDatabase:
public static Boolean login(string GebruikersnaamI, string WachtwoordI)
{
Boolean correct = false;
using (SqlConnection Conn = new SqlConnection(clStam.Connstr))
{
Conn.Open();
using (SqlCommand StrQuer = new SqlCommand("SELECT * FROM gebruiker WHERE usernm=@userid AND userpass=@password", Conn))
{
StrQuer.Parameters.AddWithValue("@userid", GebruikersnaamI);
StrQuer.Parameters.AddWithValue("@password", WachtwoordI);
using (SqlDataReader dr = StrQuer.ExecuteReader())
{
if (dr.HasRows)
{
correct = true;
}
else
{
correct = false;
//invalid login
}
}
}
Conn.Close();
}
return correct;
}
就SQL注入而言,它是安全的,因为您正在传递参数但是,不要将密码存储为纯文本,而是存储其哈希值。
请参阅:如何安全地保存用户名/密码(本地)?