我正在尝试创建一个连接到登录数据表的简单登录表单,但是在调试时遇到错误。
这是我的代码:
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Windows.Forms;
using System.Data.SqlClient;
namespace KEBMS
{
public partial class frmWelcome : Form
{
SqlConnection con = new SqlConnection(@"Data Source=(LocalDB)\v11.0;AttachDbFilename=D:\Project\KEBMS\KEBMS\MainDatabase.mdf;Integrated Security=True;Connect Timeout=30");
SqlCommand Com;
public frmWelcome()
{
InitializeComponent();
}
private void btnlogin_Click(object sender, EventArgs e)
{
String Username, Password;
con.Open();
String sql = "SELECT [username],[Password] FROM tblLogin WHERE (Username='" + txtusername.Text + "' Password='" + txtpassword.Text + "')";
Com = new SqlCommand(sql, con);
SqlDataReader dr;
dr = Com.ExecuteReader();
dr.Read();
Username = dr["Username"].ToString();
Password = dr["Password"].ToString();
if (txtusername.Text == Username && txtpassword.Text == Password)
{
frmHome Home = new frmHome();
Home.Show();
this.Hide();
}
else
{
MessageBox.Show("Wrong Username and Password");
txtusername.Clear();
txtpassword.Clear();
txtusername.Focus();
}
con.Close();
}
private void btnexit_Click(object sender, EventArgs e)
{
this.Close();
}
}
}
,错误是:
"未处理的类型' System.Data.SqlClient.SqlException'发生在System.Data.dll中 附加信息:密码'。"
附近的语法不正确
我仍然是C#
的新手,我不确定我做错了什么。
答案 0 :(得分:0)
将con置于try catch块中,它将更好地指出问题所在。
答案 1 :(得分:0)
该例外的直接原因是password
是关键字,这就是为什么应该放在括号中:where ... [Password] = ...
。
但是,实施中存在太多的问题;所以让我们从开始重写它:
型号:
private static string ConnectionString {
get {
//TODO: do not hardcode. move it to settings
return @"Data Source=(LocalDB)\v11.0;AttachDbFilename=D:\Project\KEBMS\KEBMS\MainDatabase.mdf;Integrated Security=True;Connect Timeout=30";
}
}
业务逻辑(Controller):
//DONE: method extracted
private bool TryLogin(string login, string password) {
//DONE: do not use global connections
//DONE: wrap IDisposable into using
using (SqlConnection con = new SqlConnection(ConnectionString)) {
con.Open();
//DONE: Make Sql readable
//DONE: Make Sql parametrized
//DONE: Do not expose password - SELECT 1
//TODO: Do not store password as a plain text, but its hash
string sql =
@"SELECT 1 -- we don't want to return any login/password
FROM tblLogin
WHERE [Username] = @prm_UserName and
[Password] = @prm_Password -- password is a keyword, wrap it in []";
//DONE: wrap IDisposable into using
using (com = new SqlCommand(sql, con)) {
com.Parameters.AddWithValue("@prm_UserName", login);
com.Parameters.AddWithValue("@prm_Password", password);
//DONE: wrap IDisposable into using
using (var dr = com.ExecuteReader()) {
return dr.Read(); // do we have at least one record?
}
}
}
}
UI:
private void btnexit_Click(object sender, EventArgs e) {
if (TryLogin(txtusername.Text, txtpassword.Text)) {
frmHome Home = new frmHome();
Home.Show();
this.Hide();
}
else {
MessageBox.Show("Wrong Username or/and Password");
txtusername.Clear();
txtpassword.Clear();
if (txtusername.CanFocus)
txtusername.Focus();
}
}