Java 对传递给servlet的密码使用sha256是否会使其容易受到暴力攻击?
我有一个简单的登录servlet,如下所示。。将用户名和密码传递给servlet,并检查MySQL数据库以验证用户名和密码是否可用。为了安全起见,我想在密码中添加一个类似sha256的散列,如下所示:Java 对传递给servlet的密码使用sha256是否会使其容易受到暴力攻击?,java,jsp,servlets,cryptography,Java,Jsp,Servlets,Cryptography,我有一个简单的登录servlet,如下所示。。将用户名和密码传递给servlet,并检查MySQL数据库以验证用户名和密码是否可用。为了安全起见,我想在密码中添加一个类似sha256的散列,如下所示: st.executeQuery("select fname, lname, email from userAccount where Email='"+ email + "' and password='"+ sha256(pwd) + "'"); 这是否使它容易受到字典攻击或暴力攻击 imp
st.executeQuery("select fname, lname, email from userAccount where Email='"+ email + "' and password='"+ sha256(pwd) + "'");
这是否使它容易受到字典攻击或暴力攻击
import java.io.*;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.*;
import java.sql.*;
/**
* Servlet implementation class loginServlet
*/
@WebServlet("/loginServlet")
public class loginServlet extends HttpServlet {
private static final long serialVersionUID = 1L;
/**
* @seeHttpServlet#HttpServlet()
*/
public loginServlet() {
super();
// TODOAuto-generated constructor stub
}
/**
* @seeHttpServlet#doGet(HttpServletRequest request, HttpServletResponse
* response)
*/
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
// TODOAuto-generated method stub
}
/**
* @seeHttpServlet#doPost(HttpServletRequest request, HttpServletResponse
* response)
*/
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
HttpSession session = request.getSession();
String email = request.getParameter("email");
String pwd = request.getParameter("pass");
try {
Class.forName("com.mysql.jdbc.Driver");
Connection con =
DriverManager.getConnection("jdbc:mysql://localhost:3306/logindb",
"root", "password");
Statement st = con.createStatement();
ResultSet rs;
rs = st.executeQuery("select fname, lname, email from userAccount where Email='"
+ email + "' and password='" + pwd + "'");
if (rs.next()) {
session.setAttribute("email", email);
session.setAttribute("Fullname", rs.getString(1) + " " + rs.getString(2));
response.sendRedirect("success.jsp");
} else {
response.sendRedirect("fail.jsp");
}
} catch (Exception ssd) {
System.out.println(ssd.getMessage());
}
}
}
您的代码可能容易受到SQL注入攻击。还有比SHA256更好的密码哈希选择。如果您需要安全,请使用bcrypt或scrypt