私のプロジェクトでは、ログイン後のユーザーは、ログイン時にデフォルトのパスワードを変更する必要があり、そのパスワードはデータベースに保存されます。パスワードの変更ページでユーザーが入力したパスワードを暗号化し、データベースに保存します。そのユーザーの再ログイン ログインページに入力したパスワードを暗号化し、データベースに保存されたパスワードで確認するか、復号化のために暗号化されたパスワードを取得し、入力したパスワードで復号化されたパスワードを確認したい パスワードコードの変更を行うにはどうすればよいですかは、
SqlConnection con = new SqlConnection(@"Data Source=ESLHPC17\SQL2008;Initial Catalog=Eval;User ID=;Password=");
try
{
string Qry = "Select Password from passtable where Password='" + CurrentPassword.Text + "'";
string qry = "Select Password from passtable";
SqlCommand cmd = new SqlCommand(Qry, con);
SqlCommand cmd1 = new SqlCommand(qry, con);
con.Open();
SqlDataAdapter da = new SqlDataAdapter(cmd);
SqlDataAdapter daa = new SqlDataAdapter(cmd1);
DataTable dt = new DataTable();
DataTable dtt = new DataTable();
da.Fill(dt);
daa.Fill(dtt);
if (dtt.Rows[0]["Password"].ToString() == CurrentPassword.Text)
{
string strqry = "Update Passtable Set Password='" + EncryptString(NewPassword.Text) + "'";
SqlCommand comd = new SqlCommand(strqry, con);
comd.ExecuteNonQuery();
Label1.Visible = true;
Button1.Visible = true;
ChangeButton.Enabled = false;
}
else
{
lblMessage.Visible = true;
lblMessage.ForeColor = System.Drawing.Color.Red;
lblMessage.Text = "Current Password and Entered Password did not Match !!!";
}
}
finally
{
con.Close();
con.Dispose();
}
SQL INJECTION 検出を含む編集済みコード
using (SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["EvalCon"].ConnectionString))
{
try
{
string Qry = "Select Password from passtable where Password='" + CurrentPassword.Text + "'";
string qry = "Select Password from passtable";
if (CurrentPassword.Text != "Select" && CurrentPassword.Text != "Create Table" && CurrentPassword.Text != "Update" && CurrentPassword.Text != "Delete" && CurrentPassword.Text != "Truncate" && CurrentPassword.Text != "Drop Table" && CurrentPassword.Text != "Insert" && CurrentPassword.Text != "@")
{
if (NewPassword.Text != "Select" && NewPassword.Text != "Create Table" && NewPassword.Text != "Update" && NewPassword.Text != "Delete" && NewPassword.Text != "Truncate" && NewPassword.Text != "Drop Table" && NewPassword.Text != "Insert" && NewPassword.Text != "@")
{
using (SqlCommand cmd = new SqlCommand(Qry, con))
{
using (SqlCommand cmd1 = new SqlCommand(qry, con))
{
con.Open();
SqlDataAdapter da = new SqlDataAdapter(cmd);
SqlDataAdapter daa = new SqlDataAdapter(cmd1);
DataTable dt = new DataTable();
DataTable dtt = new DataTable();
da.Fill(dt);
daa.Fill(dtt);
if (dtt.Rows[0]["Password"].ToString() == CurrentPassword.Text)
{
string strqry = "Update Passtable Set Password='" + NewPassword.Text + "'";
SqlCommand comd = new SqlCommand(strqry, con);
comd.ExecuteScalar()
Label1.Visible = true;
Button1.Visible = true;
ChangeButton.Enabled = false;
}
else
{
lblMessage.Visible = true;
lblMessage.ForeColor = System.Drawing.Color.Red;
lblMessage.Text = "Current Password and Entered Password did not Match !!!";
}
}
}
}
else
{
lblMessage.Visible = true;
lblMessage.ForeColor = System.Drawing.Color.Red;
lblMessage.Text = "SQL INJECTION Breach you Can't Continue!!!";
CurrentPassword.Enabled = false;
NewPassword.Enabled = false;
ConfirmNewPassword.Enabled = false;
}
}
else
{
lblMessage.Visible = true;
lblMessage.ForeColor = System.Drawing.Color.Red;
lblMessage.Text = "SQL INJECTION Breach you Can't Continue!!!";
CurrentPassword.Enabled = false;
NewPassword.Enabled = false;
ConfirmNewPassword.Enabled = false;
}
}
finally
{
con.Close();
con.Dispose();
}
}