前端之家

  1. 首页
  2. 问答

从基本64字符串转换时出错

问答

我正在尝试加密和解密存储在SQL中的密码。解码时出现错误输入不是有效的Base-64字符串,因为它包含非Base 64字符,两个以上的填充字符或填充字符中的非法字符。在System.Convert.FromBase64_Decode中。

解密代码:

string userEmail = Email1.Text;
string userPass = passW.Text;
SqlConnection sqlcon = new SqlConnection("My connection")
string query = "Select * from users Where email= '" + userEmail + "'";
SqlDataAdapter sda = new SqlDataAdapter(query,sqlcon);
DataTable dtbl = new DataTable()
sda.Fill(dtbl);
if (dtbl.Rows.Count == 1)
{
    string savedPasswordHash = dtbl.Rows[0][1].ToString();
    savedPasswordHash.Replace("-","");
    byte[] hashBytes = Convert.FromBase64String(savedPasswordHash);
    byte[] salt = new byte[16];
    Array.Copy(hashBytes,salt,16);
    var pbkdf2 = new Rfc2898DeriveBytes(userPass,10000);
    byte[] hash = pbkdf2.GetBytes(20);
    int ok = 1;
    for (int i = 0; i < 20; i++)
        if (hashBytes[i + 16] != hash[i])
            ok = 0;
            if (ok == 1) //good creds & redirect

加密代码:

byte[] salt1;
new RNGCryptoServiceProvider().GetBytes(salt1 = new byte[16]);
var pbkdf21 = new Rfc2898DeriveBytes(EmailTextBox.Text,salt1,10000); 

byte[] hash1 = pbkdf21.GetBytes(20);
byte[] hashBytes1 = new byte[36];

Array.Copy(salt1,hashBytes1,16);
Array.Copy(hash1,16,20);

string savedPasswordHash1 = Convert.ToBase64String(hashBytes1);
string commString = $"UPDATE users SET NewPassword = ('{savedPasswordHash1}') where Email = ('{email2}')";
using (SqlConnection connect = new SqlConnection(constring))
{
    using (SqlCommand comm = new SqlCommand())
    {
        comm.Connection = connect;
        comm.CommandText = commString;
        connect.Open();
        comm.ExecuteNonQuery();
        connect.Close();
    }

列的数据类型为nvarchar

nancy8888521 回答:从基本64字符串转换时出错

好的,问题出在您的SQL代码中。您永远不要那样在查询中添加值。这带来了SQL注入攻击的巨大风险以及您面临的问题。

base64字符串可能包含不打算用于查询字符串的字符。

因此,请像这样更改加密:

string commString = "UPDATE users SET NewPassword = @PasswordHash where Email = @Email";
using (SqlConnection connect = new SqlConnection(constring))
{
    using (SqlCommand comm = new SqlCommand())
    {
        comm.Connection = connect;
        comm.CommandText = commString;
        comm.Parameters.AddWithValue("PasswordHash",savedPasswordHash1);
        comm.Parameters.AddWithValue("Email",email2);
        connect.Open();
        comm.ExecuteNonQuery();
        connect.Close();
    } 
}

您也可以简化命令的创建,但是我不想更改两件事。您可以稍后进行修复。

-编辑-

在来回移动之后,很明显问题出在解密而不是加密部分。您照我说的做,否则您的代码严重危险。

string savedPasswordHash = dtbl.Rows[0][27].ToString(); //Change 1 to 27

也删除下一行

//savedPasswordHash.Replace("-",""); (Remove)
asp.netc#sql
本文链接:https://www.f2er.com/3135491.html

大家都在问