A simple background interaction with the database login and registration [SQL Injection processing, and MD5 encryption], sqlmd5

A simple background interaction with the database login and registration [SQL Injection processing, and MD5 encryption], sqlmd5

I. tools:
Vs2013 [because I use 2013 now, you can enjoy the version.]
Sql2008 [preparation for a long upgrade]

2. Languages Used

HTML + CSS + Jquery + Ajax + sqlserver

HTML [equivalent to a person]

Css [Dress Up]

Jquery [people need to do some actions. Jquery is an encapsulation of some common js methods]

Ajax [Establish interaction between front-end pages and databases]
Sqlserver [database]

Iii. Process
Some html code:

<Body> <div id = "header"> <div id = "header_con"> <a href = "javascript:;" onclick = "showRegBox () "> register </a> <a href =" javascript:; "onclick =" ShowLoginBox () "> logon </a> </div> <div id =" loginBox "> <div class =" login_Item "> <input type =" text "id = "TxtUserName" placeholder = "Mobile Phone mailbox/User Name"/> </div> <div class = "login_Item"> <input type = "password" id = "TxtPwd" placeholder =" enter the password "/> </div> <div class =" login_Item "> <a href =" javascript :; "onclick =" login () "> logon </a> </div> <div id =" Regbox "> <div class =" login_Item "> <input type =" text "id = "TxtRegUserName" placeholder = "Mobile Phone mailbox/User Name"/> </div> <div class = "login_Item"> <input type = "password" id = "TxtRegPwd" placeholder =" enter the password "/> </div> <div class =" login_Item "> <input type =" text "id =" TxtRegqq "placeholder =" QQ "/> </div> <div class = "login_Item"> <input type = "text" id = "TxtRegEmail" placeholder = "email"/> </div> <div class = "login_Item"> <a href = "javascript :; "onclick =" Reglogin () "> register </a> </div> </body>

Css code:

* {Margin: 0px; padding: 0px; }# header {height: 40px; width: 100%; background: #000000 ;}a {text-decoration: none ;} # header a {float: right; color: # ffffff; line-height: 40px; margin-left: 10px; }# header_con {width: margin PX; margin: 0px auto ;}. login_Item {margin-left: 20px ;}. login_Item input {width: 348px; height: 40px; margin-top: 10px; border: solid 1px #04a6f9 ;}. login_Item a {margin-top: 20px; width: 350px; height: 40px; display: block; background: #04a6f9; color: # ffffff; line-height: 40px; text-align: center ;}# loginBox {display: none;/* // hide status */margin: 0px auto ;}# Regbox {display: none ;}

Js Code: [layer plug-in used]

/// <Reference path = "_ references. js "/> // <reference path =" jquery. md5.js "/> function ShowLoginBox () {layer. open ({type: 1, title: "User Login", // set the div size area: ["390px", "300px"], content: $ ("# loginBox")});} function login () {// 1. get the username and password var username = $. trim ($ ("# TxtUserName "). val (); var pwd = $. md5 ($. trim ($ ("# TxtPwd "). val (); // 2. determine whether the username and password are empty if (username = "" | pwd = "") {layer. alert ("the user name or password cannot Empty! ", {Title:" prompt: ", icon: 5});} else {$. post ("/Handler1.ashx", {"UserName": username, "Pwd": pwd, "cmd": "login"}, function (data) {if (data = "Logon successful") {// layer. alert ("Logon successful! ", Layer. msg (" Logon successful! ", {// Title:" prompt: ", icon: 6});} else {layer. msg ("incorrect user name or password", {// title: "Tip:", icon: 5}) ;}}}function showRegBox () {layer. open ({type: 1, title: "register", area: ["390px", "350px;"], // div content: $ ("# Regbox")});} function Reglogin () {// 1. var username = $. trim ($ ("# TxtRegUserName "). val (); var pwd = $. md5 ($. trim ($ ("# TxtRegPwd "). val (); var qq =$. trim ($ ("# TxtRegqq "). val (); var email = $. Trim ($ ("# TxtRegEmail "). val (); // and determine if (username = "" | pwd = "") {layer. msg ("the user name or password cannot be blank! ");} Else {// cmd is used as the identifier to determine whether to register or log on $. post ("/Handler1.ashx", {"UserName": username, "Pwd": pwd, "qq": qq, "email": email, "cmd ": "reg"}, function (data) {if (data = "registered") {layer. msg ("congratulations, registration successful! ", {Icon: 6}) ;}else {layer. msg (data, {icon: 5 });}});}}

Ajax code:

Using System; using System. collections. generic; using System. linq; using System. web; using System. data; using System. data. sqlClient; namespace baidu20160707 {// <summary> /// summary of Handler1 /// </summary> public class Handler1: IHttpHandler {public HttpContext context; public string strResult = ""; public void ProcessRequest (HttpContext context) {this. context = context; string cmd = context. request. form ["cmd"]; switch (cmd) {case "login": strResult = loginAjax (); break; case "reg": strResult = RegAjax (); break ;} context. response. write (strResult);} // log on to the public string loginAjax () {// 1. string username = context. request. form ["username"]; // class name call method, 32 bits, and then add salt to the string pwd = Md5Class. getMD5 (context. request. form ["pwd"] + "Dummies", 32); // check whether the corresponding id exists // string strsql = string. format ("select id from Users where UserName = '{0}' and Pwd = '{1}'", username, pwd); // SQL Injection processing 1. @ parameter passing method, username, pwd is not required, 'semicolon is not required, 'string strsql = string. format ("select id from Users where UserName = @ UserName and Pwd = @ Pwd"); // SQL Injection Process 2. call the SqlParameter [] array to filter data SqlParameter [] paras = new SqlParameter [] {new SqlParameter ("@ UserName", SqlDbType. NVarChar), new SqlParameter ("@ Pwd", SqlDbType. NVarChar)}; // SQL Injection processing 3. specify its value paras [0]. value = username; paras [1]. value = pwd; // SQL injection, 4. you cannot forget to pass the array object into if (SqlHelper. exists (strsql, paras) {// context. response. write ("Login successful"); return "Login successful";} else {// context. response. write ("incorrect user name or password"); return "incorrect user name or password" ;}}// register public string RegAjax () {// receives the passed user name and password string username = context. request. form ["username"]; string pwd = Md5Class. getMD5 (context. request. form ["pwd"] + "Dummies", 32); string qq = context. request. form ["qq"]; string email = context. request. form ["email"]; // string strsql1 = string. format ("select id from Users where UserName = '{0}'", username, pwd); string strsql1 = string. format ("select id from Users where UserName = @ UserName"); SqlParameter [] paras1 = new SqlParameter [] {new SqlParameter ("@ UserName", SqlDbType. NVarChar)}; paras1 [0]. value = username; if (SqlHelper. exists (strsql1, paras1) // if (SqlHelper. exists (strsql1) {return "this user has been registered, please enter";} else {// register if it does not exist // string strsql2 = string. format ("insert into Users (UserName, Pwd, QQ, eMail) values ('{0}', '{1}', '{2 }', '{3}') ", username, pwd, qq, email); //, username, pwd, qq, email string strsql2 = string. format ("insert into Users (UserName, Pwd, QQ, eMail) values (@ UserName, @ Pwd, @ QQ, @ eMail )"); sqlParameter [] paras2 = new SqlParameter [] {new SqlParameter ("@ UserName", SqlDbType. NVarChar), new SqlParameter ("@ Pwd", SqlDbType. NVarChar), new SqlParameter ("@ QQ", SqlDbType. NVarChar), new SqlParameter ("@ eMail", SqlDbType. NVarChar),}; paras2 [0]. value = username; paras2 [1]. value = pwd; paras2 [2]. value = qq; paras2 [3]. value = email; // insert if (SqlHelper. execteNonQueryText (strsql2, paras2)> 0) {return "registration successful" ;}else {return "registration failed ";}}} public bool IsReusable {get {return false ;}}}}

Effect: Click the logon pop-up dialog box and click Register. The registration dialog box is displayed.

Iv. MD5 Encryption Algorithm

MD5 encryption algorithm: In most cases, the user's password is stored in the database. If no confidentiality measures are taken, the password is saved in plaintext, database search personnel can easily obtain user information. Therefore, to increase security, data encryption is necessary. MD5 is a single hash algorithm used to generate digital signatures. It processes input information in 512-bit groups, and each group is divided into 16-seat groups, after a series of processing, the input of the algorithm is cascade by four 32-bit groups to generate a 128-bit hash value.

Effect of parsing the plain text before encryption:

Registration Information:

Suggestion: To solve this problem from the source, use a regular expression to start from the source and try to set a password containing special characters.

Although MD5 encryption is a single encryption, its structure can still be cracked. Therefore, we usually perform [two md5 encryption and then add salt].

SQL Injection processing + MD5 encryption and the effect after adding salt:

The data displayed in the database:

V. SQL Injection

SQL injection is an attack that attackers exploit the database data vulnerability to create a constant condition, especially when logging on, users often use specific characters in SQL statements, in this way, you can access website data without any user name or password.

Specific: http://www.cnblogs.com/wangwangwangMax/p/5551614.html

The above is all the content of this article. I hope it will be helpful for your learning and support for helping customers.

Author: wangwangwangMax