使用C#从Sql Server 2008获取数据

时间:2013-09-16 13:52:32

标签: c# sql winforms sql-server-2008

我正在尝试为Windows Forms Application项目创建一个登录工具。我正在使用Visual Studio 2010和MS Sql Server 2008。

我引用了这篇文章:  http://www.codeproject.com/Articles/4416/Beginners-guide-to-accessing-SQL-Server-through-C

这是我的名为user的数据库表: enter image description here

我有TextBox1 用户名TextBox2 用户密码Button1 用于启动登录流程< / strong>即可。以下是Button1_Click方法的代码:

private void button1_Click(object sender, EventArgs e)
{
    string kullaniciAdi; // user name
    string sifre; // password

    SqlConnection myConn = new SqlConnection();
    myConn.ConnectionString = "Data Source=localhost; database=EKS; uid=sa; pwd=123; connection lifetime=20; connection timeout=25; packet size=1024;";
    myConn.Open();
    try 
    {
        SqlDataReader myReader;
        string myQuery = ("select u_password from user where u_name='" + textBox1.Text + "';");
        SqlCommand myCommand = new SqlCommand(myQuery,myConn);
        myReader = myCommand.ExecuteReader();
        while (myReader.Read())
        {
            sifre = myReader["u_password"].ToString();
        }
    }
    catch (Exception x) 
    {
        MessageBox.Show(x.ToString());
    }
    myConn.Close();
}

我对C#没有多少经验,但我认为我错过了一些小的做法。下面我分享了我捕获的异常消息。你能告诉我我错过了什么吗? (第33行是myReader = myCommand.ExecuteReader();

enter image description here

考虑到答案,我更新了我的try块,如下所示,但它仍然不起作用。

try
{
    SqlDataReader myReader;
    string myQuery = ("select u_password from [user] where u_name=@user");
    SqlCommand myCommand = new SqlCommand(myQuery, myConn);
    myCommand.Parameters.AddWithValue("@user", textBox1.Text);
    myReader = myCommand.ExecuteReader();
    while (myReader.Read())
    {
        sifre = myReader["u_password"].ToString();
    }

    if (textBox2.Text.Equals(sifre))
    {
        Form2 admnPnl = new Form2();
        admnPnl.Show();
    }
}

按照正弦的建议改变整个代码后,截图如下: 我认为,不知怎的,我无法将数据库中的密码分配给字符串sifre。

代码:

string sifre = "";
var builder = new SqlConnectionStringBuilder();
builder.DataSource = "localhost";
builder.InitialCatalog = "EKS";
builder.UserID = "sa";
builder.Password = "123";

using (var conn = new SqlConnection(builder.ToString()))
{
    using (var cmd = new SqlCommand())
    {
        cmd.Connection = conn;
        cmd.CommandText = "select u_password from [user] where u_name = @u_name";
        cmd.Parameters.AddWithValue("@u_name", textBox1.Text);
        conn.Open();

        using (var reader = cmd.ExecuteReader())
        {
            while (reader.Read())
            {
                var tmp = reader["u_password"];
                if (tmp != DBNull.Value)
                {
                    sifre = reader["u_password"].ToString();
                }
            }

            if (textBox2.Text.Equals(sifre))
            {
                try
                {
                    AdminPanel admnPnl = new AdminPanel();
                    admnPnl.Show();
                }
                catch (Exception y)
                {
                    MessageBox.Show(y.ToString());
                }
            }
            else
            {
                MessageBox.Show("incorrect password!");
            }
        }
    }
}

enter image description here

5 个答案:

答案 0 :(得分:4)

User是T-SQL中的 reserved keyword 。您应该使用方括号,如[User]

您应该使用parameterized sql代替。这种字符串连接对SQL Injection攻击开放。

string myQuery = "select u_password from [user] where u_name=@user";
SqlCommand myCommand = new SqlCommand(myQuery,myConn);
myCommand.Parameters.AddWithValue("@user", textBox1.Text);

作为一般推荐,不要在数据库中使用保留关键字作为标识符和对象名称。

答案 1 :(得分:2)

尝试将用户放入[],因为它是T-SQL中的重新创建的关键字并使用参数,您的代码对SQL注入开放!

private void button1_Click(object sender, EventArgs e)
{
    var builder = new SqlConnectionStringBuilder();
    builder.DataSource = "servername";
    builder.InitialCatalog = "databasename";
    builder.UserID = "username";
    builder.Password = "yourpassword";

    using(var conn = new SqlConnection(builder.ToString()))
    {
        using(var cmd = new SqlCommand())
        {
            cmd.Connection = conn;
            cmd.CommandText = "select u_password from [user] where u_name = @u_name";
            cmd.Parameters.AddWithValue("@u_name", textBox1.Text);
            conn.Open();

            using(var reader = cmd.ExecuteReader())
            {
                 while (reader.Read())
                 {
                     var tmp = reader["u_password"];
                     if(tmp != DBNull.Value)
                     {
                         sifre = reader["u_password"].ToString();
                     }
                 }
            }
        }
    }
}

答案 2 :(得分:1)

User是SQL中的保留关键字,您需要这样做:

select u_password from [user]  where u_name=@user

与以往一样,对于基本的SQL问题,您应该始终使用参数化查询来阻止人们通过文本框在您的数据库上运行任何旧命令。

SqlCommand myCommand = new SqlCommand(myQuery,myConn);
myCommand.Parameters.AddWithValue("@user", textBox1.Text);

答案 3 :(得分:1)

USER是T-SQL中的保留字

尝试将[]放在保留字之后。

string myQuery = ("select u_password from [user] where u_name='" + textBox1.Text + "';");

答案 4 :(得分:1)

user is a keyword.

将其更改为

string myQuery = ("select u_password from [user] where u_name='" + textBox1.Text + "';");

除此之外,我建议您查看Using Parameterized queries to prevent SQL Injection Attacks in SQL Server

相关问题
最新问题