我是.Net技术的初学者。我想开发一个带有用户名,密码和按钮组件的Web应用程序,登录模块。我有问题。所以请帮我正确登录mod。
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.SqlClient;
using System.Data;
using System.Configuration;
namespace WebApplication2_loginPageTest
{
public partial class _Default : System.Web.UI.Page
{
protected void btnlogin_Click(object sender, EventArgs e)
{
SqlConnection con = new SqlConnection("DataBase=SOUMENROY-PC;Server=(local)");
SqlDataAdapter da ;
string mSql = " Select * from login1 where username = '" + tbusername.Text +
"' + and password = '" + tbpassword.Text + "' ";
da = new SqlDataAdapter(mSql, con);
con.Open();
DataSet ds = new DataSet();
da.Fill(ds);
if (ds.Tables[0].Rows.Count > 0)
{
Response.Write("<Script> alert (uid & pass taken.)</script>");
}
else
{
Response.Write("<Script> alert (uid & pass ok.)</script>");
}
}
}
}
答案 0 :(得分:1)
在我们等待您遇到的问题的更多信息时,我想指出您的查询目前容易受到SQL注入攻击。这是我如何重写它:
using(var con = new SqlConnection("DataBase=SOUMENROY-PC;Server=(local)"))
using (var cmd = new SqlCommand("select count(*) from login1 where username = @username and password = @password", con))
{
cmd.Parameters.AddWithValue("@username", username);
cmd.Parameters.AddWithValue("@password", password);
con.Open();
var result = (int)cmd.ExecuteScalar();
if (result > 0)
{
// credentials are valid
}
}
如果您需要任何澄清,请告诉我。