来自数据库的登录查询 [英] Login Query from databae
问题描述
我创建了一个注册页面,其中包含存储在数据库中的字段电子邮件和密码。现在我想使用数据库的电子邮件和密码字段登录。
i应用查询,即::
i已输入email-name@gmail.com
和密码名称
--------------- -------------------------------------------------- ------------
SqlConnection con = new SqlConnection(str);
con.Open();
SqlCommand cmd = new SqlCommand(select * from Registration where Email ='+ loginemail +'and password ='+ loginpassword +',con);
SqlDataReader dr = cmd。 ExecuteReader();
if(dr.Read())
{
Response.Write(登录成功);
Response.Redirect(Home.aspx);
}
else
{
Response.Write(错误的用户名称和密码);
}
--------------------------- -------------------------------------------------- - 运行此代码后
总是其他部分正在工作。我输入相同的电子邮件和密码,我输入注册页面。
plzz ...告诉我wt是问题在这..或告诉wright查询。
I have created a registration page with field email and password stored in database.Now i want to log in using email and password field of database.
i applied query for that is::
i have enterd with email-name@gmail.com
and password-name
-----------------------------------------------------------------------------
SqlConnection con = new SqlConnection(str);
con.Open();
SqlCommand cmd = new SqlCommand("select * from Registration where Email='" + loginemail + "' and password='" + loginpassword + "'", con);
SqlDataReader dr = cmd.ExecuteReader();
if (dr.Read())
{
Response.Write("Login Successful");
Response.Redirect("Home.aspx");
}
else
{
Response.Write("Wrong user name and password");
}
------------------------------------------------------------------------------
after running this code always else part is working.while i m entering same email and password which i enterd into registration page.
plzz...tell me wt is problem in this..or tell wright query for this.
推荐答案
既然你在这里进行web开发,你可以看一下MembershipProvider [ ^ ]。
就当前代码而言,检查表中是否有数据。此外,您还可以考虑其他一些要点:
1.使用参数化查询。您当前的代码很容易注入SQL。
2.您真的需要从数据库中返回所有列吗?你甚至没有使用它。
Since you are doing web development here, you may take a look at MembershipProvider[^].
As far a current code is concerned, check if you have data in the table. Also, here some other points you might want to consider:
1. Use parameterized queries. Your current code is prone to SQL injection.
2. Do you really need to return all the columns from database? You are not even using it.
首先,你编写sql查询的方式是邀请SQL注入。您必须始终参数化您的SQL查询。原因在于:给我参数化-sql-or-give-me-death [ ^ ]。怎么做,检查一下: sqlparameter [ ^ ]
关于你的问题,你可能想要检查'loginemail'和'loginpassword'的值对照'注册'数据表。您可以使用Debug类来完成此操作,请阅读:调试和跟踪 [ ^ ]。但是,其他地方可能存在其他错误。您应该可以通过调试找到它们。
First thing first, the way you code your sql queries is inviting SQL Injection. You must always parameterize your sql queries. The reason is here: give-me-parameterized-sql-or-give-me-death[^]. How to do it, check this out: sqlparameter[^]
As to your question, you may want to check the values of 'loginemail' and 'loginpassword' against those in the 'Registration' datatable. You can do this by using the Debug class, read this: Debug and Trace[^]. However, there could be other bugs exist elsewhere. You should be able to find them through debugging.
您好,
为什么选择ExecuteReader?这样做有什么特别的理由吗?如果你有多个select语句会很有帮助。
你可以使用ExecuteScalar,它从DB返回单个值,符合你的要求,你只想知道记录是否存在然后
使用以下代码
Hi,
Why ExecuteReader? Is there any specific reason to do that? It will be helpful if you have multiple select statement.
You could use ExecuteScalar, which returns single value from DB, which suits your requirement, you just want to valid whether record exists or not then
Use the below code
using (SqlConnection con = new SqlConnection(str))
{
con.Open();
SqlCommand cmd = new SqlCommand("select COUNT(*) from Registration where Email='" + loginemail + "' and password='" + loginpassword + "'", con);
int isUserExist= Convert.ToInt32(cmd.ExecuteScalar());
if (isUserExist > 0)
{
Response.Write("Login Successful");
Response.Redirect("Home.aspx");
}
else
{
Response.Write("Wrong user name and password");
}
}
希望这会对你有所帮助。
问候,
RK
Hope this helps you a bit.
Regards,
RK
这篇关于来自数据库的登录查询的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
