MySql查看是否禁止用户使用C#Windows Form

时间:2015-02-23 12:21:36

标签: c# mysql

我有一个mysql数据库来存储用户和东西。我有一个帐户状态列。 像这样 picture is here

就像现在我已经建立了一个管理面板,以便我可以改变它们是否被禁止等。但是在登录页面我希望它检查他们输入的用户名并查看状态列以查看它们是否被禁止。

现在我有这个代码可以工作,但它真的没有检查它只是说他们登录的任何帐户被禁止。任何帮助都会很棒。

MySqlConnection con = new MySqlConnection("Server=sql3.freesqldatabase.com; database=sql368409; Uid= ; Pwd=");
        MySqlCommand cmd = new MySqlCommand("Select * from sql368409.user where status='Banned'", con);
        cmd.Parameters.AddWithValue("@status", "status='Banned'");
        con.Open();
        MySqlDataReader dr = cmd.ExecuteReader();
        while (dr.Read())
        {
            if (dr.HasRows == true)
          {// to let them know they are banned
                UTF8Encoding utf8 = new UTF8Encoding();
                WebClient webClient = new WebClient();
                String externalIp = utf8.GetString(webClient.DownloadData("http://ipecho.net/plain"));
                MessageBox.Show(externalIp + "   Is BANNED From Using The Tool!!");
                break;
            }

        }

        if (dr.HasRows == false)
        {//if they are not banned. to log them in
            MySqlConnection con2 = new MySqlConnection("Server=sql3.freesqldatabase.com; database=sql368409 ; Uid=; Pwd=");
            MySqlCommand cmd2 = new MySqlCommand("SELECT * FROM sql368409.user WHERE username='" + this.textEdit1.Text + "' AND password='" + this.textEdit2.Text + "';", con2);
            MySqlDataReader myReader1;
            con2.Open();
            myReader1 = cmd2.ExecuteReader();
            int count = 0;
            while (myReader1.Read())
            {
                count = count + 1;
                MessageBox.Show("Username and password is correct");
            }
            if (count == 1)
            {

            }
            else
            {
                MessageBox.Show("Wrong username and password");
            }
        }

1 个答案:

答案 0 :(得分:1)

首先,您的代码似乎非常不安全且危险。但除了安全之外,我会告诉你什么是错的,以及我会做的事情。

你的第一个问题出现在第2行和第3行:

MySqlCommand cmd = new MySqlCommand("Select * from sql368409.user where status='Banned'", con);
cmd.Parameters.AddWithValue("@status", "status='Banned'");

应该是:

MySqlCommand cmd = new MySqlCommand("Select * from sql368409.user where status='@status' and username='@username'", con);
cmd.Parameters.AddWithValue("status", "Banned");
cmd.Parameters.AddWithValue("username", this.textEdit1.Text);

我不会直接使用文本框文本,而是将值分配给变量并首先检查它以确保它“看起来”像真正的用户名,但这不是你的问题所在。

上面的代码应该是您当前解决方案工作所需的代码,但更好的方法是首先获取用户,然后对他进行检查,如禁用和密码等。

MySqlCommand cmd = new MySqlCommand("Select * from sql368409.user where username='@username'", con);
cmd.Parameters.AddWithValue("username", this.textEdit1.Text);

// First make sure we only got one row.
// Second check against password, otherwise return "bad credentials"
// Then check against banned, return "You're banned"
// Then maybe make him logged in as "admin"
// And such.
相关问题
最新问题