输入正确信息后,登录表格无效 [英] Login form not working when entered correct info
问题描述
喜!我是.net的新手,面临以下问题,当我使用Count(*)时,即使我不输入任何内容,我也可以登录,当我只使用*选择后时,我无法登录即使我提供了corrct用户名和密码,heri也是我的代码。
//代码
private void button1_Click(object sender,EventArgs e)
{
SqlConnection con = new SqlConnection(@Data Source =(LocalDB)\ MSSQLLocalDB; AttachDbFilename = C:\ Users \\ \\Mohammad Fahad \Documents\data.mdf; Integrated Security = True; Connect Timeout = 30);
SqlDataAdapter sda = new SqlDataAdapter(SELECT Count(*)FROM login WHERE user ='+ textBox1.Text +'AND pass ='+ textBox3.Text +',con);
DataTable dt = new DataTable();
sda.Fill(dt);
if(dt.Rows.Count> 0)
{
this.Hide();
Main ss = new Main();
ss.Show();
}
else {
MessageBox.Show(请检查你的用户名和密码);
}
}
我尝试了什么: < br $>
i有两种方式并且得到了不良结果
i我新手无法找到问题所在
请注意,您正在检查是否有任何行。 SELECT COUNT(*)将始终返回一行。
传递用户名和密码的方式意味着有人可以通过传入SQL命令来破解你的数据库。您应该使用参数,更好的方法是使用using语句。类似
bool userIsValid = false ;
使用(SqlConnection sqlCon = new SqlConnection(connString)){
sqlCon。打开();
使用(SqlCommand cmd = new SqlCommand( LoginUser,sqlCon)){
cmd.CommandType = CommandType.StoredProcedure;
cmd.Parameters.AddWithValue( @ userid,txtUserId.Text);
cmd.Parameters.AddWithValue( @ password,txtPassword.Text);
使用(SqlDataReader dr = cmd.ExecuteReader()){
userIsValid = dr.HasRows;
}
}
}
然后有一个类似
的存储过程
CREATE PROCEDURE LoginUser
(
@ userid NVARCHAR ( 50 )
@ password NVARCHAR ( 50 )
)
AS
BEGIN
< span class =code-keyword> SELECT * FROM 用户 WHERE userid = @ userid AND password = @ password COLLATE SQL_Latin1_General_CP1_CS_AS - 使密码区分大小写
END
如果可能的话,加密甚至哈希密码字段。
除了011111100010所说的两件事之外:
1)永远不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度,这可能会破坏您的整个数据库。总是使用参数化查询。
连接字符串时会导致问题,因为SQL会收到如下命令:
SELECT * FROM MyTable WHERE StreetAddress = ' Baker' s Wood ' < span class =code-string>就SQL而言,用户添加的引号会终止字符串,并且您会遇到问题。但情况可能更糟。如果我来并改为输入:x'; DROP TABLE MyTable; - 然后SQL收到一个非常不同的命令:
SELECT * FROM MyTable WHERE StreetAddress = ' x'; DROP 表 MyTable; - '哪个SQL看作三个单独的命令:
SELECT * FROM MyTable WHERE StreetAddress = ' x';完全有效的SELECT
DROP TABLE MyTable;完全有效的删除表格通讯和
- '其他一切都是评论。
所以它确实:选择任何匹配的行,从数据库中删除表,并忽略其他任何内容。
所以总是使用参数化查询!或者准备好经常从备份中恢复数据库。你定期做备份,不是吗?并登录?当你蒙着眼睛的时候,这只是将钥匙交给窃贼!
所以请浏览整个应用程序,并修复其中的最后一个 - 否则你将失去你的数据库。
2)切勿以明文形式存储密码 - 这是一个主要的安全风险。有关如何在此处执行此操作的信息:密码存储:如何做到这一点。 [ ^ ]
hi! i am new at .net and facing the following problem in which when i use the "Count(*)" i am able to login even if i dont enter anything,and when i use only" * after select " i am unable to login even if i provide the corrct username and password heri is my code.
//code
private void button1_Click(object sender, EventArgs e)
{
SqlConnection con = new SqlConnection(@"Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=C:\Users\Mohammad Fahad\Documents\data.mdf;Integrated Security=True;Connect Timeout=30");
SqlDataAdapter sda = new SqlDataAdapter("SELECT Count(*) FROM login WHERE user='" + textBox1.Text + "' AND pass ='" + textBox3.Text + "'", con);
DataTable dt = new DataTable();
sda.Fill(dt);
if (dt.Rows.Count > 0)
{
this.Hide();
Main ss = new Main();
ss.Show();
}
else {
MessageBox.Show("Please Check your usernmae and password");
}
}
What I have tried:
i have triend both of the ways and got undesirable results
i am newbie cant find whats the problem
Notice that you are checking to see if there are any rows. SELECT COUNT(*) will always return a row.
The way you are passing in the username and password means that someone could hack your db by passing in SQL commands. You should use parameters and also a better way is to use the using statement. Something like
bool userIsValid = false; using (SqlConnection sqlCon = new SqlConnection(connString)){ sqlCon.Open(); using (SqlCommand cmd = new SqlCommand("LoginUser", sqlCon)){ cmd.CommandType = CommandType.StoredProcedure; cmd.Parameters.AddWithValue("@userid", txtUserId.Text); cmd.Parameters.AddWithValue("@password", txtPassword.Text); using (SqlDataReader dr = cmd.ExecuteReader()) { userIsValid = dr.HasRows; } } }
And then have a Stored Procedure something like
CREATE PROCEDURE LoginUser ( @userid NVARCHAR (50) @password NVARCHAR (50) ) AS BEGIN SELECT * FROM users WHERE userid = @userid AND password = @password COLLATE SQL_Latin1_General_CP1_CS_AS -- to make password case sensitive END
And if possible, encrypt or even hash the password field.
Two things, in addition to what 011111100010 has said:
1) Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Always use Parameterized queries instead.
When you concatenate strings, you cause problems because SQL receives commands like:
SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:
SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'Which SQL sees as three separate commands:
SELECT * FROM MyTable WHERE StreetAddress = 'x';A perfectly valid SELECT
DROP TABLE MyTable;A perfectly valid "delete the table" command
--'And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.
So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you? And on a login? That's just handing the keys to the burglars while you are blindfolded!
So go through your whole app, and fix every last one of those - or you will lose your DB at some point.
2) Never store passwords in clear text - it is a major security risk. There is some information on how to do it here: Password Storage: How to do it.[^]
这篇关于输入正确信息后,登录表格无效的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
