在任何人告诉我的过程中出现错误 [英] am getting error in this any one tell me

问题描述

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.SqlClient;
using System.Configuration;

public partial class Default2 : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {
    }

    protected void btnlogin_Click(object sender, EventArgs e)
    {

      //SqlConnection con=new SqlConnection(ConfigurationManager.ConnectionStrings["userinformation"].ConnectionString);
        SqlConnection con = new SqlConnection("Data Source=............;Initial Catalog=IMADB;User ID=usr_ima;password=temp123");
        con.Open();
        string cmdstr = "select * from tbluser where username='" + TextBox1.Text + "'";
        SqlCommand checkuser = new SqlCommand(cmdstr, con);
        int temp = Convert.ToInt32(checkuser.ExecuteNonQuery().ToString());
        if (temp == 1)
        {
            string cmdstr2 = "select * from tbluser where userpassword='" +TextBox2.Text+ "'";
            SqlCommand pass = new SqlCommand(cmdstr2, con);
            string password = pass.ExecuteNonQuery().ToString();
            con.Close();
            if (password == TextBox2.Text)
            {
                Session["New"] = TextBox1.Text;
                Response.Redirect("Default3.aspx");
            }
            else
            {
                Label3.Visible = true;
                Label3.Text = "Invalid password....!!!";
            }
        }
            else
            {
                Label3.Visible = true;
                Label3.Text = "Invalid username....!!!";
            
        }
    }
}

[edit]添加了代码块-OriginalGriff [/edit]

[edit]Code block added - OriginalGriff[/edit]

推荐答案

嗯，可能是任何事情...但是您应该做一些事情来防止其他问题:
1)不要连接字符串以构建SQL命令.它使您对意外或蓄意的SQL注入攻击敞开大门，这可能会破坏整个数据库.改用参数化查询:

Well, it could be anything...but there are a few things you ought to do to prevent other problems:
1) Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead:

string cmdstr = "select * from tbluser where username=@UN";
SqlCommand checkuser = new SqlCommand(cmdstr, con);
checkuser.Parameters.AddWithValue("@UN", TextBox1.Text);

2)切勿以明文形式存储密码-这是主要的安全隐患.这里有一些有关如何执行此操作的信息:密码存储:如何进行 [ ^ ]
3)不要为控件使用VS默认名称.您可能今​​天还记得TextBox1和Label3应该做什么，但是下个月就不会了！使用有意义的名称:tbUserName和labErrorMessage代替-它使您的代码更易于使用和阅读.

实际上，您的基本问题很容易发现:
当您从表中读取密码以进行匹配时，返回的内容不是您想要的-如果您已读取它们，则是要返回的行的计数.因此，除非用户决定使用"1"作为密码，否则它将与输入的密码不匹配.

实现上面的内容，然后重试.但是，实际上，您应该改为引入成员资格-这比整个系统要容易得多. http://msdn.microsoft.com/en-us/library/yh26yfzy (v = vs.85).aspx [

2) Never store passwords in clear text - it is a major security risk. There is some information on how to do it here: Password Storage: How to do it.[^]
3) Don''t use VS default names for your controls. You may remember today what TextBox1 and Label3 are supposed to do, but you won''t next month! Use meaningful names: tbUserName and labErrorMessage instead - it makes your code a lot easier to work with, and read.

In fact your basic problem is pretty easy to spot:
When you read from the table to match the password, what is returned is not what you want - it is a count of the rows that would be returned, if you had read them. So, it won''t match teh entered passowrd unless the user decides to have "1" as his password.

Implement the stuff above, and try again. But really, you should look at introducing Membership instead - it''s a lot easier than your whole system will be. http://msdn.microsoft.com/en-us/library/yh26yfzy(v=vs.85).aspx[^]

这篇关于在任何人告诉我的过程中出现错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！