ASP.NET C#中的登录注销问题 [英] login logout problem in asp.net c#
本文介绍了ASP.NET C#中的登录注销问题的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
尊敬的先生,
我正在使用登录页面的代码
default.aspx.cs
Respected Sir,
i am using code for login page
default.aspx.cs
try
{
conn.Open();
SqlCommand cmd = new SqlCommand("select * from tbl_mnadmin where mn_username='"+txt_username.Text+"' and mn_password='"+txt_password.Text+"'",conn);
SqlDataReader rdr = cmd.ExecuteReader();
rdr.Read();
if (rdr["mn_username"].ToString().Length > 0)
{
Session["username"] = rdr["mn_username"];
Session["pass"] = rdr["mn_password"];
Response.Redirect("welcome.aspx");
}
else
{
lbl_msg.Text = "Invalid User Name or Password";
}
}
catch (Exception ex)
{
}
finally
{
conn.Close();
}
请告诉我问题.当用户名passowrd不匹配并且rdr未填写时,我遇到了问题.请告诉我如何解决这个问题.
谢谢
REgards
Umesh Daiya
plz tell me problem. i have got a problem when username passowrd not match and if rdr was not filled. plz tell me how to solve this problem.
Thanks
REgards
Umesh Daiya
推荐答案
尝试如下..
Try like below..
try
{
conn.Open();
SqlCommand cmd = new SqlCommand("select count(*) from tbl_mnadmin where mn_username='" + txt_username.Text + "' and mn_password='" + txt_password.Text + "'", conn);
int cnt=int.Parse(cmd.ExecuteScalar().ToString());
if (cnt > 0)
{
Session["username"] = txt_username.Text;
Session["pass"] = txt_password.Text;
Response.Redirect("welcome.aspx");
}
else
lbl_msg.Text = "Invalid User Name or Password";
}
catch (Exception ex)
{
}
finally
{
conn.Close();
}
为自己的目的添加Tejas所说的话,不要那样做!
首先:
不要连接字符串以构建SQL命令.它使您对意外或蓄意的SQL注入攻击敞开大门,这可能会破坏整个数据库.请改用参数化查询.
例如,执行此操作的方式是,我不需要任何密码即可登录到您的系统-我要做的就是输入任何用户名,然后输入其他四个字符,然后我就可以登录了.或者,我可以进行扩展,登录(或不登录),然后从世界任何地方删除整个数据库.
其次:
切勿以明文形式存储密码!在这里看看:密码存储:操作方法. [ ^ ]
To add to what Tejas says, for your own sake, don''t do it like that!
Firstly:
Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
For example, the way you do it, I do not need any password to log into your system - all I have to do is enter any username, followed by four other characters, and I am logged in. Or, I could extend that, log in (or not log in), and delete your entire database, from anywhere in the world.
Secondly:
Never store passwords in clear text! Have a look here: Password Storage: How to do it.[^]
我认为您遇到了这个问题,因为您直接从sqlreader评估数据,而无需检查天气情况,即您的阅读器中是否有数据.因此,请修改您的代码以验证该部分,这样可能会解决您的问题.我想你可以尝试这样的事情...
I think you face this problem because you directly assessing your data from sqlreader with out checking weather there is data in your reader or not. so please modify your code to validate that part so, it might solve your problem. i think you can try something like this...
try
{
conn.Open();
SqlCommand cmd = new SqlCommand("select * from tbl_mnadmin where mn_username='" + txt_username.Text + "' and mn_password='" + txt_password.Text + "'", conn);
SqlDataReader rdr = cmd.ExecuteReader();
while (rdr.Read()) // put validation like this, it will go forward only if there is some data in your reader.
{
if (rdr["mn_username"].ToString().Length > 0)
{
Session["username"] = rdr["mn_username"];
Session["pass"] = rdr["mn_password"];
Response.Redirect("welcome.aspx");
}
else
{
lbl_msg.Text = "Invalid User Name or Password";
}
}
}
catch (Exception ex)
{
}
finally
{
conn.Close();
}
这篇关于ASP.NET C#中的登录注销问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
