这是我的问题,这是我被困的地方......
https://drive.google.com/file/d/0BxqCNfHpYEJlejVwcGxYVHo1VWM/view?usp=sharing
你可以帮助他......如果这个看起来如此明显,请跟我一起来......OleDbConnection con = new OleDbConnection();
con.ConnectionString = @"Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:\Users\Sparrow vivek\Documents\Billing.accdb";
con.Open();
String query = "select * from user where username='" + textBox1.Text + "'and password='" + textBox2.Text + "'";
OleDbCommand cmd = new OleDbCommand(query, con);
//cmd.ExecuteNonQuery();
OleDbDataReader rd = cmd.ExecuteReader();
int i = 0;
String ss = null;
while (rd.Read())
{
i++;
ss = rd[0].ToString();
}
if (i > 0)
{
Form4 f4 = new Form4();
this.Hide();
f4.Show();
con.Close();
}
else
{
label4.Text = "Username or Password not valid";
label4.ForeColor = Color.Red;
}
con.Close();
答案 0 :(得分:0)
首先,您可以通过SQL-Injection进行开放。永远不要为查询连接字符串...参数化它们。
String query = "select * from user where username = ? and password = ?";
OleDbCommand cmd = new OleDbCommand(query, con);
cmd.Parameters.Add( "parmUser", textBox1.Text )
cmd.Parameters.Add( "parmPassword", textBox2.Text )
SQL-Server和其他引擎允许您为参数命名,但是对于习惯,您应该仍然可以将它们保持在与正在准备的查询相同的顺序中。
String query = "select * from user where username = @parmUser and password = @parmPassword";
OleDbCommand cmd = new OleDbCommand(query, con);
cmd.Parameters.Add( "parmUser", textBox1.Text )
cmd.Parameters.Add( "parmPassword", textBox2.Text )
但是,也可能是因为在name参数和AND子句后的结束引号之后没有空格......
+ "'and....
to
+ "' and...