Java 对传递给servlet的密码使用sha256是否会使其容易受到暴力攻击？_Java_Jsp_Servlets_Cryptography

Java 对传递给servlet的密码使用sha256是否会使其容易受到暴力攻击？

java jsp servlets cryptography

Java 对传递给servlet的密码使用sha256是否会使其容易受到暴力攻击？,java,jsp,servlets,cryptography,Java,Jsp,Servlets,Cryptography,我有一个简单的登录servlet，如下所示。。将用户名和密码传递给servlet，并检查MySQL数据库以验证用户名和密码是否可用。为了安全起见，我想在密码中添加一个类似sha256的散列，如下所示： st.executeQuery("select fname, lname, email from userAccount where Email='"+ email + "' and password='"+ sha256(pwd) + "'"); 这是否使它容易受到字典攻击或暴力攻击 imp

我有一个简单的登录servlet，如下所示。。将用户名和密码传递给servlet，并检查MySQL数据库以验证用户名和密码是否可用。为了安全起见，我想在密码中添加一个类似sha256的散列，如下所示：

st.executeQuery("select fname, lname, email from userAccount where Email='"+ email + "' and password='"+ sha256(pwd) + "'");

这是否使它容易受到字典攻击或暴力攻击

import java.io.*;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.*;
import java.sql.*;

/**
 * Servlet implementation class loginServlet
*/
@WebServlet("/loginServlet")
public class loginServlet extends HttpServlet {

private static final long serialVersionUID = 1L;

/**
 * @seeHttpServlet#HttpServlet()
 */
public loginServlet() {
    super();
    // TODOAuto-generated constructor stub
}

/**
 * @seeHttpServlet#doGet(HttpServletRequest request, HttpServletResponse
 * response)
 */
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    // TODOAuto-generated method stub
}

/**
 * @seeHttpServlet#doPost(HttpServletRequest request, HttpServletResponse
 * response)
 */
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    HttpSession session = request.getSession();
    String email = request.getParameter("email");
    String pwd = request.getParameter("pass");
    try {
        Class.forName("com.mysql.jdbc.Driver");
        Connection con =
                DriverManager.getConnection("jdbc:mysql://localhost:3306/logindb",
                "root", "password");
        Statement st = con.createStatement();
        ResultSet rs;
        rs = st.executeQuery("select fname, lname, email from userAccount where Email='"
                + email + "' and password='" + pwd + "'");
        if (rs.next()) {
            session.setAttribute("email", email);
            session.setAttribute("Fullname", rs.getString(1) + " " + rs.getString(2));
            response.sendRedirect("success.jsp");
        } else {

            response.sendRedirect("fail.jsp");
        }
    } catch (Exception ssd) {
        System.out.println(ssd.getMessage());
    }
}
}

您的代码可能容易受到SQL注入攻击。还有比SHA256更好的密码哈希选择。如果您需要安全，请使用bcrypt或scrypt