我正在使用后端SQL来访问数据库以获取登录详细信息,即用户名和密码但是输入它将会登录 [英] I am using backend SQL to access database for login details i.e., username and password but wihtout entering that it will logging in
问题描述
这是我的代码是什么问题。
private void button1_Click( object sender,EventArgs e)
{
SqlConnection con = new SqlConnection( @ Data Source = .; Database = master; Integrated Security = True);
SqlDataAdapter sda = new SqlDataAdapter( SELECT * FROM Register WHERE usernmae =' + textBox1.Text + 'AND password = ' + textBox2.Text + ',con);
/ * 在上面的行中,程序从表中选择整个数据并将其与用户名匹配和用户提供的密码。 * /
con.Open();
DataTable dt = new DataTable(); // 这是创建虚拟表
// sda.Fill(dt);
con.Close();
if (dt.Rows.Count > = 0 )
{
/ * 我创建了一个新页面主页。如果用户成功通过身份验证,则表单将移至下一个表单* /
此 .Hide();
仪表板sn = 新仪表板();
sn.Show();
// new home()。Show();
// MessageBox.Show(done);
}
else
MessageBox.Show( Not notcesful Login);
我尝试过:
i想要使用有效的用户名和密码登录,如果它是正确的,它应该输入,如果不是它应该显示错误而不是它登录。
< blockquote>这里有几个问题:
1)从不硬编码连接字符串:它们应该在配置文件中,因为它们通常在开发和生产方面不同:生产将使用基于服务器的系统多台机器使用ID和密码连接,如果经常使用LOCALHOST和集成安全性在本地安装上进行开发。
2)永远不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度,这可能会破坏您的整个数据库。请改用参数化查询。
3)可能,您的SQL数据库列不是usernmae,而是username
4)绝不以明文形式存储密码 - 这是一个重大的安全风险。有关如何在此处执行此操作的信息:密码存储:如何做到这一点。 [ ^ ]
5)如果你感兴趣的是多行,那么使用 SELECT COUNT(*)并调用ExecuteScalar返回单个值,而不是浪费时间和资源构建您永远不会使用的数据表。
6)考虑一下你的条件:
如果(dt.Rows.Count > = 0 )
如果数据库中没有匹配项,那真的是成功登录吗?
你在这段代码中遇到很多问题。
- 你总是成功登录,因为:
if(dt.Rows.Count > = 0)
,它表示接受0,因为Count不能为负...
- 建议,把东西放在dt,它更好。
- 建议,永远不要以这种方式构建SQL查询
SELECT * FROM Register WHERE usernmae ='+ textBox1。文本+'和密码='+ textBox2.Text +'
当值是用户输入时,它打开了SQL注入的大门
SQL注入 [ ^ ]
[更新]
你应该学会尽快使用调试器。而不是猜测你的代码在做什么,现在是时候看到你的代码执行并确保它完成你期望的。
调试器允许你跟踪执行逐行检查变量,你会看到它有一个停止做你期望的点。
调试器 - 维基百科,免费的百科全书 [ ^ ]
掌握Visual Studio 2010中的调试 - A初学者指南 [ ^ ]
http: //docs.oracle.com/javase/7/docs/technotes/tools/windows/jdb.html [ ^ ]
https://www.jetbrains.com/idea/help/debugging-your -first-java-application.html [ ^ ]
调试器在这里向您展示您的代码正在做什么,您的任务是与它应该做什么进行比较do。
当代码没有达到预期效果时,你就接近了一个bug。
Here is my code what is the issue.
private void button1_Click(object sender, EventArgs e)
{
SqlConnection con = new SqlConnection(@"Data Source=.;Database=master;Integrated Security=True");
SqlDataAdapter sda = new SqlDataAdapter("SELECT * FROM Register WHERE usernmae='" + textBox1.Text + "' AND password='" + textBox2.Text + "'", con);
/* in above line the program is selecting the whole data from table and the matching it with the user name and password provided by user. */
con.Open();
DataTable dt = new DataTable(); //this is creating a virtual table
//sda.Fill(dt);
con.Close();
if (dt.Rows.Count >= 0)
{
/* I have made a new page called home page. If the user is successfully authenticated then the form will be moved to the next form */
this.Hide();
Dashboard sn = new Dashboard();
sn.Show();
//new home().Show();
//MessageBox.Show("done");
}
else
MessageBox.Show("Not succesful Login");
What I have tried:
i want to login with the valid username and password if it is correct it should enter if not it should show an error instead of it it is loggin in.
There are several things wrong here:
1) Never hard code connection strings: they should be in configuration files, because they will normally be different for development and production: production will use a server based system that multiple machines connect to using an ID and password, developement if often done on a local installation using LOCALHOST and integrated security.
2) Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
3) Probably, your SQL database column, isn't called "usernmae", but "username"
4) Never store passwords in clear text - it is a major security risk. There is some information on how to do it here: Password Storage: How to do it.[^]
5) If all you are interested in is a number of rows, then useSELECT COUNT(*)and call ExecuteScalar to return a single value instead of wasting time and resources constructing datatables you will never use.
6) Think about your conditions:
if (dt.Rows.Count >= 0)
If there are no matches in the DB, is that really a successful login?
You have many problems in this code.
-You have always successful login because of this:
if (dt.Rows.Count >= 0)
, it says that 0 is accepted, and since Count can not be negative ...
- Advice, put something indt, it is better.
- Advice, never build an SQL query this way
"SELECT * FROM Register WHERE usernmae='" + textBox1.Text + "' AND password='" + textBox2.Text + "'"
when the values are user inputs, it open door to SQL Injection
SQL Injection[^]
[Update]
You should learn to use the debugger as soon as possible. Rather than guessing what your code is doing, It is time to see your code executing and ensuring that it does what you expect.
The debugger allow you to follow the execution line by line, inspect variables and you will see that there is a point where it stop doing what you expect.
Debugger - Wikipedia, the free encyclopedia[^]
Mastering Debugging in Visual Studio 2010 - A Beginner's Guide[^]
http://docs.oracle.com/javase/7/docs/technotes/tools/windows/jdb.html[^]
https://www.jetbrains.com/idea/help/debugging-your-first-java-application.html[^]
The debugger is here to show you what your code is doing and your task is to compare with what it should do.
When the code don't do what is expected, you are close to a bug.
这篇关于我正在使用后端SQL来访问数据库以获取登录详细信息,即用户名和密码但是输入它将会登录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
