“'admin'附近的语法不正确

时间:2014-10-14 16:55:08

标签: asp.net

这个程序当我输入用户名和密码进入数据库并从表中进行比较时,但是当我输入用户名admin时,密码admin(存在于表中) compalier显示错误"' admin' "附近的语法不正确排队 int temp = Convert.ToInt32(com.ExecuteScalar()。ToString()); 

protected void Button1_Click(object sender, EventArgs e)
{

    SqlConnection conn = new SqlConnection(@"Data Source=.\SQLEXPRESS;AttachDbFilename=C:\Users\1\Documents\DB.mdf;Integrated Security=True;Connect Timeout=30;User Instance=True");
    conn.Open();
    string checkuser = "select count(*) from [Users] where Username '" + TextBoxUserName.Text + "'";
    SqlCommand com = new SqlCommand(checkuser,conn);
    int temp = Convert.ToInt32(com.ExecuteScalar().ToString());
    conn.Close();

    if (temp == 1)
    {
        conn.Open();
        string checkpassword = "select Password from Users where Password'" + TextBoxPassword.Text + "'";
        SqlCommand passComm = new SqlCommand(checkpassword, conn);
        string password = passComm.ExecuteScalar().ToString();
        if (password == TextBoxPassword.Text)
        {
            //Session["NEW"] = TextBoxUserName.Text;
            Response.Redirect("Welcome.aspx");
        }

        else
        {
            Response.Redirect("Error.aspx");
        }

    }

3 个答案:

答案 0 :(得分:1)

错误只是由sql命令文本中连接的值之前缺少的等号引起的。

但是修理它,你的代码出于其他原因是错误的。

  • 您应该始终使用参数化查询来避免Sql Injection和解析问题,
  • 您可以删除导致所有记录不必要加载的COUNT函数,以确认搜索到的数据是否存在
  • 您需要识别用户搜索密码和 在SAME记录上的用户名,就像现在一样,上面的代码首先搜索用户名 然后是密码,但我可以输入现有的用户名(如果通过则先输入)并使用 一个不同用户的密码(如果通过则为第二个),然后获得访问权限 你的网站。

string checkuser = "IF EXISTS(select 1 from [Users] where Username = @usr AND Password=@pwd)
                    SELECT 1 ELSE SELECT 0";
using(SqlConnection conn = new SqlConnection(....))    
using(SqlCommand com = new SqlCommand(checkuser,conn))
{
     conn.Open();
     com.Parameters.AddWithValue("@usr", TextBoxUserName.Text);
     com.Parameters.AddWithValue("@pwd", TextBoxPassword.Text);
     int temp = Convert.ToInt32(com.ExecuteScalar());
     if (temp == 1)
        Response.Redirect("Welcome.aspx");
     else
        Response.Redirect("Error.aspx");
}

上面示例中更改的其他内容是USING STATEMENT,以确保在异常情况下您的连接和命令也在操作结束时处理

答案 1 :(得分:0)

尝试更改此行

string checkuser = "select count(*) from [Users] where Username '" + TextBoxUserName.Text + "'";

到这个

string checkuser = "select count(*) from [Users] where Username = '" + TextBoxUserName.Text + "'";

您错过了=标志

你也需要对你的密码选择也一样,你也错过了那里的=标志。

string checkpassword = "select Password from Users where Password = '" + TextBoxPassword.Text + "'";

答案 2 :(得分:0)

检查密码时,还应包括UserName:

string checkpassword = "select Password from Users where UserName = '" + TexBoxUserName.Text + "' AND Password = '" + TextBoxPassword.Text + "'";

如果您不包含UserName,则仅验证某些用户具有该密码。

以下代码将通过参数化命令文本

来阻止SQL注入 
SqlConnection conn = new SqlConnection(@"Data Source=.\SQLEXPRESS;AttachDbFilename=C:\Users\1\Documents\DB.mdf;Integrated Security=True;Connect Timeout=30;User Instance=True");
conn.Open();
string checkuser = "SELECT Count(UserName) FROM USERS WHERE UserName = @UserName";
SqlCommand com = new SqlCommand(checkuser,conn);
SqlParameter parmUserName = new SqlParameter("UserName", TextBoxUserName.Text);
com.Parameters.Add(parmUserName);

int temp = Convert.ToInt32(com.ExecuteScalar().ToString());
conn.Close();
if (temp == 1)
    {
        conn.Open();
        string checkpassword = "SELECT Password FROM USERS WHERE UserName = @UserName AND Password = @Password";

        SqlCommand passComm = new SqlCommand(checkpassword, conn);
        SqlParameter parmPassword = new SqlParameter("Password", TextBoxPAssword.Text);

        com.Parameters.Add(parmUserName);
        com.Parameters.Add(parmPassword);

        string password = passComm.ExecuteScalar().ToString();
相关问题
最新问题