将数据行转换为字符串转换vb.net 2010

时间:2014-01-09 12:06:45

标签: database vb.net string row

如何将行数据转换为字符串或文本并将其显示为标签?我的问题是,当我点击我的登录按钮,其中包含将行数据存入alabel的SQL代码时,我的标签中的结果为false。不是文字。如何将其转换为字符串?

这是我的代码:

Private Sub cmdLog_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles cmdLog.Click
        Dim connection As New SqlClient.SqlConnection
        Dim command As New SqlClient.SqlCommand
        Dim adaptor As New SqlClient.SqlDataAdapter
        Dim dataset As New DataSet
        Dim reader As MySqlDataReader = Nothing
        Dim sapi
        sapi = CreateObject("sapi.spvoice")

        connection.ConnectionString = ("Data Source=.\SQLEXPRESS;AttachDbFilename=C:\Users\Calupad\Desktop\HTF feat Yiyet\HTF feat Yiyet\Database1.mdf;Integrated Security=True;User Instance=True")
        command.CommandText = "SELECT * FROM [Users] WHERE Username='" & txtUser.Text & "' AND Password ='" & txtPass.Text & "';"
        txtWel.Text = "Welcome Back, " + txtUser.Text + "!....."


        connection.Open()
        command.Connection = connection
        adaptor.SelectCommand = command
        adaptor.Fill(dataset, "0")

        txtStat.text = command.CommandText = "SELECT Status FROM [Users] WHERE Username = '" & txtUser.Text & "' ".ToString

        txtStat.Text = stat
                Dim count = dataset.Tables(0).Rows.Count
        If count > 0 Then

            MsgBox("Login Successful!" & vbNewLine & txtStat.Text, MsgBoxStyle.Information, "Access Granted")
            sapi.speak(txtWel.Text)
            Me.Hide()
            Form1.Show()
            frmMenu.Show()
            txtUser.Clear()
            txtPass.Clear()
            tries = 3
        Else
            ctr = tries - 1
            tries = ctr
            sapi.speak(txtUser.Text + txtNot.Text)
            MsgBox("Invalid Account!" + vbNewLine + "Attempts Remaining: " & tries, vbCritical, "Access Denied")
            txtUser.Clear()
            txtPass.Clear()
            If tries = 0 Then
                MsgBox("You've reached the maximum attempts!" + vbNewLine + "The program will be terminated.", vbCritical, "Terminated!")
                Me.Close()
            End If
        End If
    End Sub

1 个答案:

答案 0 :(得分:1)

首先,检查用户名和密码的方式很弱,而且对于SQL注入来说,这肯定是可以确定的。您正在检查行的“计数”是否大于零然后用户已成功登录,您应该只将count与1进行比较,而不是计算行数,尝试将行值与用户在用户名和密码字段中输入的内容以及从数据库行返回的内容。

“黑客”只需键入此内容即可根据您的代码逻辑登录:

SQL INJECTION

您只需要检索存储在使用适配器填充的dataset变量中的数据。

假设您的数据库表包含First_Name和“Last_Name”等字段,以下是如何在表单上的任何标签控件上显示它们的方法:

adaptor.Fill(dataset, "0")
myFirstName.Text = dataset.Tables(0).Rows(0).Item("First_Name").ToString()
myLastName.Text = dataset.Tables(0).Rows(0).Item("First_Name").ToString()

您也可以检索列而不必像这样知道其名称

myLabel.text = = dataset.Tables(0).Rows(0).Item(3).ToString() 
    'This will retrieve the 4th column from the table (zero based array)

您还可以通过声明一个变量来保存检索到的表来清理代码

adaptor.Fill(dataset, "0")
Dim myTable as DataTable = dataset.Tables(0)
myFirstName.Text = myTable.Rows(0).Item(0).ToString()

希望这有帮助

相关问题
最新问题