我在尝试让我的网站登录时遇到问题。我希望它在我登录时显示相应的消息,但我一直收到相同的消息"电子邮件不正确" 有人能帮助我吗?
protected void loginbutton_Click(object sender, EventArgs e)
{
SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["RegConnectionString"].ConnectionString);
con.Open();
string checkuser = "select count(*) from Users where email =' " + loginemail.Text + "'";
SqlCommand com = new SqlCommand(checkuser, con);
int temp = Convert.ToInt32(com.ExecuteScalar().ToString());
con.Close();
if (temp == 1)
{
con.Open();
string checkPasswordQuery = "select password from Users where email = '" + loginemail.Text + "'";
SqlCommand pass = new SqlCommand(checkPasswordQuery, con);
string password = pass.ExecuteScalar().ToString();
if (password == loginpassword.Text)
{
Session["New"] = loginemail.Text;
Response.Write("Password is Correct");
Response.Redirect("Admin.aspx");
}
else
{
Response.Write("Password is not correct");
}
}
else
{
Response.Write("Email is not Correct");
}
}
答案 0 :(得分:3)
您的电子邮件旁边有一个空格:
where email =' " + log...
突出显示:
where email ='[here there is an empty space] " + log...
我认为这是需要改变的:
string checkuser = "select count(*) from Users where email ='" + loginemail.Text + "'";
答案 1 :(得分:1)
首先,您的代码容易受到SQL注入攻击。相反,请使用参数化查询。
其次,您不需要使用两个SELECT语句。
注意 :由于安全原因,您永远不应该说哪一个不正确。相反,您希望显示无效的电子邮件或密码。
此外,您绝不应存储普通密码。相反,您希望以Halhed格式存储密码。请查看ASP.NET Universal Provider或ASP.Net Identity。
protected void Loginbutton_Click(object sender, EventArgs e)
{
string connectionString = ConfigurationManager.ConnectionStrings["RegConnectionString"].ConnectionString;
using (var conn = new SqlConnection(connectionString))
{
var cmd = new SqlCommand("SELECT COUNT(*) FROM Users WHERE Email=@Email AND Password=@Password",
conn);
cmd.CommandType = CommandType.Text;
cmd.Parameters.Add("@Email", loginemail.Text);
cmd.Parameters.Add("@Password", loginpassword.Text);
conn.Open();
int temp = Convert.ToInt32(cmd.ExecuteScalar());
}
}