从MySQL验证用户名和密码

Question

我正在寻找验证VB中用户名和密码的代码。

Private Sub LoginBtn_Click(sender As Object, e As EventArgs) Handles LoginBtn.Click
    Try
        con.Open()
        com = New MySqlCommand("SELECT id FROM accounts WHERE uname='" & txtuname.Text & "'", con)
        reader = com.ExecuteReader
        If reader.HasRows = True Then
            com = New MySqlCommand("SELECT id FROM accounts WHERE pword = '" & txtpword.Text & "' AND uname='" & txtuname.Text & "'", con)
            If reader.HasRows = True Then
                Form3.Show()
            Else
                MsgBox("Invalid Password")
                txtpword.Focus()
            End If

        ElseIf String.IsNullOrEmpty(txtuname.Text) Then
            MsgBox("Invalid Username")
            txtuname.Focus()
        Else
            MsgBox("New User Detected. Input Password")
            Form2.Show()
        End If

        reader.Close()
        con.Close()

    Catch ex As Exception
        If Not con.State = ConnectionState.Closed Then
            con.Close()
        End If
        MsgBox(ex.ToString)
    End Try

End Sub

条件是这样的：

1. 如果未从dbase检测到用户名，则会导致注册表单（表单2）
2. 如果检测到用户名但密码错误或为空，则会弹出一个msgbox
3. 如果用户名和密码都正确，则会导致表单3。

我的问题是条件＃2。即使pword txtbox中的数据错误，它仍然会导致表单3而不是显示msgbox。

Answer 1

您在第二次查询后忘记了reader = com.ExecuteReader，即。之后

com = New MySqlCommand("SELECT id FROM accounts WHERE pword = '" & txtpword.Text & "' AND uname='" & txtuname.Text & "'", con)

由于它仅考虑第一个查询的输出而第二个查询仍然未执行

Answer 2

你应该再打电话

reader = com.ExecuteReader

后：

com = New MySqlCommand("SELECT id FROM accounts WHERE pword = '" & txtpword.Text & "' AND uname='" & txtuname.Text & "'", con)

您之前检查过它有行，但您没有更改过。

Answer 3

您需要再次致电阅读器，否则将无法执行第二次查询。正如其他人所说的那样。有了它，您的代码似乎是一个公共应用程序。使用这种方式编写的代码，您会让自己容易受到注入攻击。用户可能会将恶意代码插入您的文本框中，服务器可以对其进行处理。如果你在查询中使用参数而不是文本框的.Text会更好，如下所示：

    Private Sub LoginBtn_Click(sender As Object, e As EventArgs) Handles LoginBtn.Click
Try
    con.Open()
    com = New MySqlCommand("SELECT id FROM accounts WHERE uname=@uname, con)
    With com
        .Parameters.AddWithValue("@uname", txtuname.Text)
    End With
    reader = com.ExecuteReader
    If reader.HasRows = True Then
        com = New MySqlCommand("SELECT id FROM accounts WHERE pword = @pword AND uname = @uname, con)
    With com
        .Parameters.AddWithValue("@uname", txtuname.Text)
        .Parameters.AddWithValue("@pword", txtpword.Text)
    End With
    reader = com.ExecuteReader

    If reader.HasRows = True Then
            Form3.Show()
        Else
            MsgBox("Invalid Password")
            txtpword.Focus()
        End If

    ElseIf String.IsNullOrEmpty(txtuname.Text) Then
        MsgBox("Invalid Username")
        txtuname.Focus()
    Else
        MsgBox("New User Detected. Input Password")
        Form2.Show()
    End If

    reader.Close()
    con.Close()

Catch ex As Exception
    If Not con.State = ConnectionState.Closed Then
        con.Close()
    End If
    MsgBox(ex.ToString)
End Try
     End Sub