我在应用程序的后端创建了以下WebMethod,用户通过前端登录。
[WebMethod]
public String Login(String userName, String password)
{
OleDbConnection connect = new OleDbConnection(connection);
connect.Open();
OleDbCommand command = new OleDbCommand("Select * from login where userName='" + userName + "' and password ='" + password + "'", connect);
command.CommandType = CommandType.Text;
OleDbDataAdapter adapter = new OleDbDataAdapter();
adapter.SelectCommand = command;
DataSet NSNSet = new DataSet();
adapter.Fill(NSNSet);
string username = NSNSet.Tables[0].Rows[0]["firstName"].ToString() + NSNSet.Tables[0].Rows[0]["lastName"].ToString();
int userID = System.Convert.ToInt16(NSNSet.Tables[0].Rows[0]["UID"].ToString());
return username + "," + userID;
}
目前,我有错误处理状态 -
catch(Exception ex)
{
string error = System.Convert.ToString(ex);
if (error.Contains("There is no row at position 0"))
{
status.Text = "Incorrect Username/Password combination";
}
}
这样可以正常工作,但是我怎么能避开我的代码,以便它带来更具体的错误,即说明userName或password具体是不正确的?
答案 0 :(得分:3)
不要泄露太多细节,只是给出一个简单的登录错误信息,但不要说用户名不正确或密码不正确,导致黑客可以使用该信息
一个简单的文字说登录失败应该没问题
答案 1 :(得分:2)
你应该这样做:
public String Login(String userName, String password)
{
OleDbConnection connect = new OleDbConnection(connection);
connect.Open();
OleDbCommand command = new OleDbCommand("Select UID, firstName, lastName from login where userName=? and password =?", connect);
command.CommandType = CommandType.Text;
//to avoid sql injection
command.Parameters.Add(userName);
command.Parameters.Add(password);
OleDbDataAdapter adapter = new OleDbDataAdapter();
adapter.SelectCommand = command;
DataSet NSNSet = new DataSet();
adapter.Fill(NSNSet);
if (NSNSet.Tables[0].Rows.Count == 0)
return "Access denied";
string username = NSNSet.Tables[0].Rows[0]["firstName"].ToString() + NSNSet.Tables[0].Rows[0]["lastName"].ToString();
int userID = int.Parse(NSNSet.Tables[0].Rows[0]["UID"].ToString());
return username + "," + userID;
}
或者更好的方法,使用DataReader提高性能:
public String Login(String userName, String password)
{
OleDbConnection connect = new OleDbConnection(connection);
connect.Open();
OleDbCommand command = new OleDbCommand("Select UID, firstName, lastName from login where userName=? and password =?", connect);
command.CommandType = CommandType.Text;
//to avoid sql injection
command.Parameters.Add(userName);
command.Parameters.Add(password);
OleDbDataReader reader=command.ExecuteReader();
if (reader.Read())
{
//that means there's at least one row
string username = reader["firstName"] + " " + reader["lastName"];
int userID = int.Parse(reader["UID"].ToString());
return username + "," + userID;
}
else
{
//no combination username-password found
return "Access denied";
}
}
答案 2 :(得分:1)
首先,此代码对SQL注入开放。其次,如果你想知道哪个元素不正确,你必须将你的查询分解为两个组件(即分别查询用户名和密码)
答案 3 :(得分:1)
您可以稍微改变一下选择查询:
"select * from login where userName='"+userName+"'";
如果DataSet中没有行,则写入
Invalid UserName
如果用户存在,则检查密码是否匹配,如果不匹配则写入
Invalid Password