这是我的社会表的架构:
Society(SocietyName, Email, Password, Status)
所以基本上我正在创建一个用户输入电子邮件和密码的登录页面。如果有一封与数据库中的电子邮件相匹配的电子邮件,则会检查状态是否等于总裁或教职员工或学生事务办公室。基于此,它重定向到不同的页面。 以下是我的代码:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
namespace WebApplication3 {
public partial class WebForm1 : System.Web.UI.Page {
MySql.Data.MySqlClient.MySqlConnection conn;
MySql.Data.MySqlClient.MySqlCommand cmd;
MySql.Data.MySqlClient.MySqlDataReader reader;
String QueryStr;
String name;
protected void Page_Load(object sender, EventArgs e) { }
protected void clicked(object sender, EventArgs e) {
String ConnString = System.Configuration.ConfigurationManager.ConnectionStrings["Webappconstring"].ToString();
conn = new MySql.Data.MySqlClient.MySqlConnection(ConnString);
conn.Open();
String QueryStr2 = "";
QueryStr = "";
QueryStr = "Select * from the_society_circle.society WHERE Email= '" + Emailtxt.Text + "' And Psswd=' " + passwordtxt.Text + "'";
cmd = new MySql.Data.MySqlClient.MySqlCommand(QueryStr, conn);
reader = cmd.ExecuteReader();
QueryStr2 = "Select Status from the_society_circle.society where Email = '" + QueryStr + "'";
name = "";
while (reader.HasRows && reader.Read()) {
name = reader["Email"].ToString();
}
if ((QueryStr2== "president" || QueryStr2 == "faculty member") && reader.HasRows ) {
Session["Email"] = name;
Response.BufferOutput = true;
Response.Redirect("WebForm2.aspx", true);
} else {
Emailtxt.Text = "invalid user";
}
conn.Close();
}
}
}
问题是if语句永远不会执行,并且它总是打印无效用户。
PS:我是网络开发的新手:D
答案 0 :(得分:1)
将QueryString2设置为此值
QueryStr2 = "Select Status from the_society_circle.society where Email = '" + QueryStr + "'";
它永远不会是您检查的值之一。
答案 1 :(得分:0)
正如codemonkey已经写过的,你的情况永远不会成真。
您执行以下操作:if ((QueryStr2== "president" || Quer...,其评估结果为if (("Select Status from the_society_circle.society where Email = '" + QueryStr + "'"== "president" || Quer...。所以你要比较两个不同的字符串,这些字符串永远不会成功。
我试图重构你的代码并想出了这个(没有经过测试,从头开始编写):
MySqlAccess)并处理数据库对象(将它们放入using - 在离开块时调用Dispose()的块。 总结一下:
记住SQL注入和其他恶意操作。例如,看一下这篇文章:http://msdn.microsoft.com/en-us/library/ms161953%28v=sql.105%29.aspx
并且从不将密码存储为数据库中的明文。这是你应该关心的下一件事。编辑数据库以将密码存储为salted密码哈希值,然后只比较哈希值。首先,请看一下这篇文章:http://www.codeproject.com/Articles/704865/Salted-Password-Hashing-Doing-it-Right
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using MySql;
namespace WebApplication1
{
public partial class WebForm1 : System.Web.UI.Page
{
private string _connectionString;
protected void Page_Load(object sender, EventArgs e)
{
_connectionString = System.Configuration.ConfigurationManager.ConnectionStrings["Webappconstring"].ToString();
}
protected void Clicked(object sender, EventArgs e)
{
string email = Emailtxt.Text;
string password = passwordtxt.Text;
var mysqlAccess = new MySqlAccess(_connectionString);
string status = mysqlAccess.GetStatus(email, password);
if (status == Constants.Status.PRESIDENT || status == Constants.Status.FACULTY_MEMBER)
{
Session["Email"] = email;
Response.Redirect("WebForm2.aspx", true);
}
else
{
Emailtxt.Text = "invalid user";
}
}
}
internal class MySqlAccess
{
private readonly string _connectionString;
public MySqlAccess(string connectionString)
{
_connectionString = connectionString;
}
public string GetStatus(string email, string password)
{
using (var conn = new MySqlConnection(_connectionString))
{
conn.Open();
string query = "SELECT Status FROM the_society_circle.society WHERE Email=@Email AND Psswd=@Password;";
using (var cmd = new MySqlCommand(query, conn))
{
cmd.Parameters.AddWithValue("@Email", email);
cmd.Parameters.AddWithValue("@Password", password);
using (var reader = cmd.ExecuteReader())
{
if (reader.HasRows && reader.Read())
{
return reader["Status"].ToString();
}
}
}
}
return string.Empty;
}
}
internal class Constants
{
internal class Status
{
public const string PRESIDENT = "president";
public const string FACULTY_MEMBER = "faculty member";
}
}
}