ADO.NET安全性

为确保数据安全性查询语句中种尽量使用参数 
//没有使用参数的   private void btnLoginBetter_Click(object sender, System.EventArgs e)
  {
   SqlConnection con = new SqlConnection();
   con.ConnectionString = System.Configuration.ConfigurationSettings.AppSettings["DSN"];
   con.Open();
  
   string strSql = "select UserName,UserPass from tbUserInfo where UserName=@username and UserPass=@userpass";
   SqlParameter sqlpUser = new SqlParameter("@username",SqlDbType.NVarChar,30);
   sqlpUser.Value = tbName.Text;
   SqlParameter sqlpPass = new SqlParameter("@userpass",SqlDbType.NVarChar,30);
   sqlpPass.Value = tbPass.Text;
   SqlCommand com = new SqlCommand(strSql,con);
   com.Parameters.Add(sqlpUser);
   com.Parameters.Add(sqlpPass);
   SqlDataReader dr = com.ExecuteReader();
   //以下执行查询
   bool bExist = false;
   while(dr.Read())
   {
    bExist = true;   
   }
   lbDiag.Text = strSql;
   if(bExist)
    lbMsg.Text = "您好!"+Server.HtmlEncode(tbName.Text);
   else
    lbMsg.Text = Server.HtmlEncode(tbName.Text) + "不能进入!";
   con.Close();
  }

  private void btnLogin_Click(object sender, System.EventArgs e)
  {
   SqlConnection con = new SqlConnection();
   con.ConnectionString = System.Configuration.ConfigurationSettings.AppSettings["DSN"];
   con.Open();
  
   string strSql = "select UserName,UserPass from tbUserInfo where UserName='"+tbName.Text+"' and UserPass='"+tbPass.Text+"'";
   SqlCommand com = new SqlCommand(strSql,con);
   SqlDataReader dr = com.ExecuteReader();
   lbDiag.Text = strSql;
   //以下执行查询
   bool bExist = false;
   while(dr.Read())
   {
    bExist = true;
   }
   if(bExist)
    lbMsg.Text = "您好!"+tbName.Text;
   else
    lbMsg.Text = tbName.Text + "不能进入!";
   con.Close();
  }

表单验证
<authentication>
     <forms name=".SecurityDemo" loginUrl="02login.aspx" > 
           </forms> </authentication>
<authentication mode="Windows" />   
<!-- 授权 --> 
<authorization>
            <deny users="?"/>
            <allow roles="admins"/>  
</authorization>

 

  private void btnLoginBetter_Click(object sender, System.EventArgs e)
  {
   bool bExist = AuthenticateUser(tbName.Text,tbPass.Text);
   if(bExist)
   {
    //1) //创建一个验证票据
    FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, tbName.Text,DateTime.Now,
     DateTime.Now.AddMinutes(30),PersistCookie.Checked,"User");
    //2) //并且加密票据
    string cookieStr =  FormsAuthentication.Encrypt(ticket);
     //3) 创建cookie
    HttpCookie cookie =new HttpCookie(FormsAuthentication.FormsCookieName,cookieStr);
    if(PersistCookie.Checked) //如果用户选择了保存密码
     cookie.Expires=ticket.Expiration;//设置cookie有效期
    //cookie存放路径
    cookie.Path = FormsAuthentication.FormsCookiePath;
                Response.Cookies.Add(cookie);
    // 4) do a redirect
    string strRedirect;
    strRedirect=Request["ReturnUrl"];
    if(strRedirect==null)
     strRedirect="default.aspx";
    Response.Redirect(strRedirect,true);
   }
   else
    Response.Write("<script language='javascript'>alert('用户名称或密码错误!')</script>");
   
  }
  private bool ArraysEqual(byte[] array1,byte[] array2)
  {
   bool bResult = true;
   if(array1==null)
    throw new ArgumentNullException("array1");
   if(array2==null)
    throw new ArgumentNullException("array2");
   if(array1.Length == array2.Length)
   {
    for(int i=0;i<array1.Length;i++)
    {
     if(array1[i]!=array2[i])
     {
      bResult = false;
      break;
     }
    }
   }
   return bResult;
  }
  private bool AuthenticateUser(string strUserName, string strUserPass)
  {
   SqlConnection con = new SqlConnection();
   con.ConnectionString = System.Configuration.ConfigurationSettings.AppSettings["DSN"];
   con.Open();
  
   string strSql = "sp_getuserdetails";
   SqlCommand com = new SqlCommand(strSql,con);
   com.CommandType = CommandType.StoredProcedure;
   SqlParameter sqlpUser = new SqlParameter("@acctname",SqlDbType.NVarChar,64);
   sqlpUser.Value = tbName.Text;
   SqlParameter sqlpPasshash = new SqlParameter("@passhash",SqlDbType.NVarChar,50);
   sqlpPasshash.Direction = ParameterDirection.Output;
   SqlParameter sqlpPasssalt = new SqlParameter("@passsalt",SqlDbType.NVarChar,50);
   sqlpPasssalt.Direction = ParameterDirection.Output;
   com.Parameters.Add(sqlpUser);
   com.Parameters.Add(sqlpPasssalt);
   com.Parameters.Add(sqlpPasshash);
   com.ExecuteNonQuery();

    byte[] digest = hashAlg.Hash;
    if (ArraysEqual(digest,hashBits))
     bExist = true;
    else
     bExist = false;
   }
   con.Close();
   return bExist;
  }


  private void Page_Load(object sender, System.EventArgs e)
  {
   //noImpersonate();
   //ImpersonateIIS();
   ImpersonateUser(); 
  }
  private void noImpersonate()
  {
   try
   {
    if(File.Exists("c://Documents and Settings//shaozhidong//test.txt"))
     lbExist.Text = "存在!";
    else
     lbExist.Text = "该文件不存在!";
   }
   catch(Exception)
   {
    lbExist.Text = "没有权限!";
   }
  }
  private void ImpersonateIIS()
  {
   // 在代码中模拟IIS认证帐号
   System.Security.Principal.WindowsImpersonationContext impersonationContext;
   impersonationContext = ((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();

 private void Page_Load(object sender, System.EventArgs e)
  {
   lbUser.Text = User.Identity.Name;
   if(User.IsInRole("Admin"))
    lbSf.Text = "Admin";
   else
    lbSf.Text = "User";
  }
  private void btnLogout_Click(object sender, System.EventArgs e)
  {
   FormsAuthentication.SignOut();//注销
   Response.Redirect("login.aspx",true);
  }

存储密码
using System.Security.Cryptography;
using System.Text;
  private void Page_Load(object sender, System.EventArgs e)
  {
   lbRng.Text = BytesToHex(GetRandomBytes(8));
   System.Random r = new Random(100);
   lbRand.Text = r.Next().ToString();
  }
  private byte[] GetRandomBytes(int iByte)
  {
   RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
   byte[] randomData = new byte[iByte];
   rng.GetBytes(randomData);
   return randomData;
  }
  private string BytesToHex(byte[] byteArr)
  {
   StringBuilder sb = new StringBuilder(64);
   for(int i=0;i<byteArr.Length;i++)
    sb.AppendFormat("{0:X2}",byteArr[i]);
   return sb.ToString();
  }