为确保数据安全性查询语句中种尽量使用参数
//没有使用参数的 private void btnLoginBetter_Click(object sender, System.EventArgs e)
{
SqlConnection con = new SqlConnection();
con.ConnectionString = System.Configuration.ConfigurationSettings.AppSettings["DSN"];
con.Open();
string strSql = "select UserName,UserPass from tbUserInfo where UserName=@username and UserPass=@userpass";
SqlParameter sqlpUser = new SqlParameter("@username",SqlDbType.NVarChar,30);
sqlpUser.Value = tbName.Text;
SqlParameter sqlpPass = new SqlParameter("@userpass",SqlDbType.NVarChar,30);
sqlpPass.Value = tbPass.Text;
SqlCommand com = new SqlCommand(strSql,con);
com.Parameters.Add(sqlpUser);
com.Parameters.Add(sqlpPass);
SqlDataReader dr = com.ExecuteReader();
//以下执行查询
bool bExist = false;
while(dr.Read())
{
bExist = true;
}
lbDiag.Text = strSql;
if(bExist)
lbMsg.Text = "您好!"+Server.HtmlEncode(tbName.Text);
else
lbMsg.Text = Server.HtmlEncode(tbName.Text) + "不能进入!";
con.Close();
}
private void btnLogin_Click(object sender, System.EventArgs e)
{
SqlConnection con = new SqlConnection();
con.ConnectionString = System.Configuration.ConfigurationSettings.AppSettings["DSN"];
con.Open();
string strSql = "select UserName,UserPass from tbUserInfo where UserName='"+tbName.Text+"' and UserPass='"+tbPass.Text+"'";
SqlCommand com = new SqlCommand(strSql,con);
SqlDataReader dr = com.ExecuteReader();
lbDiag.Text = strSql;
//以下执行查询
bool bExist = false;
while(dr.Read())
{
bExist = true;
}
if(bExist)
lbMsg.Text = "您好!"+tbName.Text;
else
lbMsg.Text = tbName.Text + "不能进入!";
con.Close();
}
<authentication>
<forms name=".SecurityDemo" loginUrl="02login.aspx" >
</forms> </authentication>
<authentication mode="Windows" />
<!-- 授权 -->
<authorization>
<deny users="?"/>
<allow roles="admins"/>
</authorization>
private void btnLoginBetter_Click(object sender, System.EventArgs e)
{
bool bExist = AuthenticateUser(tbName.Text,tbPass.Text);
if(bExist)
{
//1) //创建一个验证票据
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, tbName.Text,DateTime.Now,
DateTime.Now.AddMinutes(30),PersistCookie.Checked,"User");
//2) //并且加密票据
string cookieStr = FormsAuthentication.Encrypt(ticket);
//3) 创建cookie
HttpCookie cookie =new HttpCookie(FormsAuthentication.FormsCookieName,cookieStr);
if(PersistCookie.Checked) //如果用户选择了保存密码
cookie.Expires=ticket.Expiration;//设置cookie有效期
//cookie存放路径
cookie.Path = FormsAuthentication.FormsCookiePath;
Response.Cookies.Add(cookie);
// 4) do a redirect
string strRedirect;
strRedirect=Request["ReturnUrl"];
if(strRedirect==null)
strRedirect="default.aspx";
Response.Redirect(strRedirect,true);
}
else
Response.Write("<script language='javascript'>alert('用户名称或密码错误!')</script>");
}
private bool ArraysEqual(byte[] array1,byte[] array2)
{
bool bResult = true;
if(array1==null)
throw new ArgumentNullException("array1");
if(array2==null)
throw new ArgumentNullException("array2");
if(array1.Length == array2.Length)
{
for(int i=0;i<array1.Length;i++)
{
if(array1[i]!=array2[i])
{
bResult = false;
break;
}
}
}
return bResult;
}
private bool AuthenticateUser(string strUserName, string strUserPass)
{
SqlConnection con = new SqlConnection();
con.ConnectionString = System.Configuration.ConfigurationSettings.AppSettings["DSN"];
con.Open();
string strSql = "sp_getuserdetails";
SqlCommand com = new SqlCommand(strSql,con);
com.CommandType = CommandType.StoredProcedure;
SqlParameter sqlpUser = new SqlParameter("@acctname",SqlDbType.NVarChar,64);
sqlpUser.Value = tbName.Text;
SqlParameter sqlpPasshash = new SqlParameter("@passhash",SqlDbType.NVarChar,50);
sqlpPasshash.Direction = ParameterDirection.Output;
SqlParameter sqlpPasssalt = new SqlParameter("@passsalt",SqlDbType.NVarChar,50);
sqlpPasssalt.Direction = ParameterDirection.Output;
com.Parameters.Add(sqlpUser);
com.Parameters.Add(sqlpPasssalt);
com.Parameters.Add(sqlpPasshash);
com.ExecuteNonQuery();
byte[] digest = hashAlg.Hash;
if (ArraysEqual(digest,hashBits))
bExist = true;
else
bExist = false;
}
con.Close();
return bExist;
}
private void Page_Load(object sender, System.EventArgs e)
{
//noImpersonate();
//ImpersonateIIS();
ImpersonateUser();
}
private void noImpersonate()
{
try
{
if(File.Exists("c://Documents and Settings//shaozhidong//test.txt"))
lbExist.Text = "存在!";
else
lbExist.Text = "该文件不存在!";
}
catch(Exception)
{
lbExist.Text = "没有权限!";
}
}
private void ImpersonateIIS()
{
// 在代码中模拟IIS认证帐号
System.Security.Principal.WindowsImpersonationContext impersonationContext;
impersonationContext = ((System.Security.Principal.WindowsIdentity)User.Identity).Impersonate();
private void Page_Load(object sender, System.EventArgs e)
{
lbUser.Text = User.Identity.Name;
if(User.IsInRole("Admin"))
lbSf.Text = "Admin";
else
lbSf.Text = "User";
}
private void btnLogout_Click(object sender, System.EventArgs e)
{
FormsAuthentication.SignOut();//注销
Response.Redirect("login.aspx",true);
}
存储密码
using System.Security.Cryptography;
using System.Text;
private void Page_Load(object sender, System.EventArgs e)
{
lbRng.Text = BytesToHex(GetRandomBytes(8));
System.Random r = new Random(100);
lbRand.Text = r.Next().ToString();
}
private byte[] GetRandomBytes(int iByte)
{
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
byte[] randomData = new byte[iByte];
rng.GetBytes(randomData);
return randomData;
}
private string BytesToHex(byte[] byteArr)
{
StringBuilder sb = new StringBuilder(64);
for(int i=0;i<byteArr.Length;i++)
sb.AppendFormat("{0:X2}",byteArr[i]);
return sb.ToString();
}