从数据库检索名称 [英] retrieve name from database

问题描述

代码和密码来比较登录页面.正确的登录ID和密码表示将名称检索到另一个页面.但是d''nt检索名称.

code and password to compare login page.correct login id and pwd means retrive name to another page.but d''nt retrieve a name.

con.Open()
        cmd = New SqlCommand("Select * from dbo.ei_employee where code = '" & user_name.Text & "'and password = '" & password.Text & "' ", con)
        sdr = cmd.ExecuteReader()
        'view = "select * from dbo.ei_employee where code = '" & user_name.Text & "'"
        'Dim ds As DataSet = GetData(view)
        'If (ds.Tables.Count > 0) Then
        '    eid = sdr.GetValue(2)

        If (sdr.Read()) Then
            Session("user_name") = enam as string

            Response.Redirect("attview.aspx")
            con.Close()
        Else
            LinkButton1.Visible = True

            con.Close()
        End If

推荐答案

If (sdr.Read()) Then
  Session("user_name") = enam as string

enam来自哪里?

也许您应该尝试这样的事情:

Where does enam come from??

Maybe you should try something like this:

If (sdr.Read()) Then
  Session("user_name") = sdr["column_name"] as string

Response.Redirect("attview.aspx?userName=" + Session("user_name"))

顺便说一句，Dylan Morley关于sql注入是正确的，您应该考虑到这一点.

希望对您有帮助

By the way, Dylan Morley is right about the sql injection, you should take that into consideration.

Hope it helps

不要那样做！
例如，如果我尝试使用用户名
登录到您的系统

Don''t do it that way!
For example, if I tried to log in to your system with the user name

Hello';DROP TABLES dbo.ei_employee;--

您认为会发生什么?
或者，如果需要的话，我也可以不输入密码就登录.
1)不要串联字符串:请改用参数化查询.否则您将丢失数据库.也许是对你最好的伴侣一个笑".

What do you think would happen?
Or, I could just log in without giving you a password, if I wanted to.
1) Don''t concatenate strings: use Parametrized queries instead. Or you will lose your database. Probably to your best mate "for a laugh".

cmd = New SqlCommand("Select * from dbo.ei_employee where code = @NM AND password = @PW", con)
cmd.Parameters.AddWithValue("@NM", user_name.Text)
cmd.Parameters.AddWithValue("@PW", password.Text)
sdr = cmd.ExecuteReader()

2)不要以明文形式存储密码！这里有一个描述可能会有所帮助:密码存储:操作方法.

2) Don''t store passwords in clear text! There is a description here which may help: Password Storage: How to do it.

这篇关于从数据库检索名称的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！