简单登录C#和MySQL Web应用程序

时间:2013-12-12 16:43:17

标签: c# mysql asp.net web-applications login

我的代码中有一些错误,由于某种原因,当我试图抓住最后它会抛出错误,说它缺少很多括号,尽管我认为不是。 有人可以让我知道我哪里出错了。

代码: 

namespace login
{
   public partial class _Default : Page
   {
      // decleration of tabels and dataadapters including my connection string for my MySQL databse
      DataSet ds = new DataSet();
      MySqlConnection cs = new MySqlConnection(@"SERVER= ********;username=******;password=******;Allow Zero Datetime=true; Initial Catalog = benoatsc_GreenFilm");

      MySqlDataAdapter da = new MySqlDataAdapter();
      DataTable dt = new DataTable();
      String totalDonations = string.Empty;

      protected void Button1_Click(object sender, EventArgs e)
      {
         try
         {
            MySqlCommand SelectCommand = new MySqlCommand("select * from films.user where user_name='" + this.username.Text + "; and password='" + this.password.Text + "';", cs);
            MySqlDataReader myreader;
            cs.Open();
            myreader = SelectCommand.ExecuteReader();

            int count = 0;
            while (myreader.Read())
            {
               count = count + 1;
            }

            if (count == 1)
            {
               Response.Write(@"<script language='javascript'>alert('wow your in !!');</script>");
            }

            else if (count > 1)
            {
               Response.Write(@"<script language='javascript'>alert('duplicate');</script>");
            }

            else Response.Write(@"<script language='javascript'>alert('wrong password');</script>");

            cs.Close();
         }

         catch (Exception ex)
         {
            Response.Write(@"<script language='javascript'>alert(ex.message);</script>");
         }
      }
   }
}

2 个答案:

答案 0 :(得分:6)

问题1:您在{之后打开了额外的红色大括号try block
问题2:您已使用user_name打开了single quotes参数,但尚未使用single quotes关闭。

解决方案1:您需要移除尝试阻止后打开的额外的curley大括号 解决方案2 :您需要将user_name参数与single quotes正确包含在一起。

建议:您的查询向SQL Injection attacks开放,我建议您使用parameterised queries来避免此问题。

使用parameterised queries

完成代码 
namespace login
{
public partial class _Default : Page
{
    // decleration of tabels and dataadapters including my connection string for my MySQL databse
    DataSet ds = new DataSet();
    MySqlConnection cs = new MySqlConnection(@"SERVER= ********;username=******;password=******;Allow Zero Datetime=true; Initial Catalog = benoatsc_GreenFilm");

    MySqlDataAdapter da = new MySqlDataAdapter();
    DataTable dt = new DataTable();
    String totalDonations = string.Empty;

    protected void Page_Load(object sender, EventArgs e)
    {

    }

    protected void Button1_Click(object sender, EventArgs e)
    {
        try
        {

                MySqlCommand SelectCommand = new MySqlCommand("select * from films.user where user_name=@username and password=@password;", cs);
                MySqlDataReader myreader;
                SelectCommand.Parameters.AddWithValue("@username",this.username.Text);
                SelectCommand.Parameters.AddWithValue("@password",this.password.Text);
                cs.Open();

                myreader = SelectCommand.ExecuteReader();

                int count = 0;
                while (myreader.Read())
                {
                    count = count + 1;
                }

                if (count == 1)
                {
                    Response.Write(@"<script language='javascript'>alert('wow your in !!');</script>");
                }

                else if (count > 1)
                {
                    Response.Write(@"<script language='javascript'>alert('duplicate');</script>");
                }

                else Response.Write(@"<script language='javascript'>alert('wrong password');</script>");

                cs.Close();
            }

            catch (Exception ex)
                 {
                 Response.Write(@"<script language='javascript'>alert(ex.message);</script>");
                 }//end of catch block

        }//end of try block
    }//end of class 
}//end of namespace

答案 1 :(得分:2)

除了缺少括号和错误的SQL查询(包含分号)之外,您还可以大量改进代码。您可以使用ExecuteScalar并将查询修改为COUNT(*)。这样您就不必计算代码了​​。还使用using语句,这将确保即使在异常情况下也可以关闭连接。所以你的代码应该在以下行上

namespace login
{
    public partial class _Default : Page
    {
        // decleration of tabels and dataadapters including my connection string for my MySQL databse
        DataSet ds = new DataSet();
        MySqlConnection cs = new MySqlConnection(@"SERVER= ********;username=******;password=******;Allow Zero Datetime=true; Initial Catalog = benoatsc_GreenFilm");

        MySqlDataAdapter da = new MySqlDataAdapter();
        DataTable dt = new DataTable();
        String totalDonations = string.Empty;

        protected void Page_Load(object sender, EventArgs e)
        {

        }

        protected void Button1_Click(object sender, EventArgs e)
        {
            try
            {
                using (MySqlCommand SelectCommand = new MySqlCommand("select count(*) from films.user where user_name=@username AND password = @password", cs))
                {
                    SelectCommand.Parameters.AddWithValue("@username", username.Text);
                    SelectCommand.Parameters.AddWithValue("@password", password.Text);
                    cs.Open();
                    int count = (int)SelectCommand.ExecuteScalar();
                    if (count == 1)
                    {
                        Response.Write(@"<script language='javascript'>alert('wow your in !!');</script>");
                    }
                    else if (count > 1)
                    {
                        Response.Write(@"<script language='javascript'>alert('duplicate');</script>");
                    }

                    else Response.Write(@"<script language='javascript'>alert('wrong password');</script>");
                }
            }

            catch (Exception ex)
            {
                Response.Write(@"<script language='javascript'>alert(ex.message);</script>");
            }

        }
    }
}

使用带命令的参数将使您免于SQL Injection

相关问题
最新问题