为什么即使使用正确的凭据我也无法登录? [英] Why can't I login even with correct credentials?
问题描述
嗨!我正在使用Visual Studio 2017.我想用数据库创建一个登录窗口表单。我用Google搜索了观看了许多YouTube视频教学如何做到这一点。我按照说明但是! 2个问题!!
我的尝试:
1。大多数视频都是这样做的:
Hi! I'm using Visual Studio 2017. I wanted to make a login window form with database. I have googled & watched many YouTube videos teaching how to do it. I followed instructions BUT!!! 2 ISSUES!!
What I have tried:
1. Most videos do it this way:
private void btnLogin_Click(object sender, EventArgs e)
{
SqlConnection sqlcon = new SqlConnection(@"Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=C:\Users\run_h\OneDrive\Documents\LoginDB.mdf;Integrated Security=True");
string query = "SELECT count(*) FROM [tblLogin] WHERE username = ' " +txtUsername.Text.Trim()+ " ' and password = ' " +txtPassword.Text.Trim()+" ' ";
SqlDataAdapter sda = new SqlDataAdapter(query, sqlcon);
DataTable dtbl = new DataTable();
sda.Fill(dtbl);
if(dtbl.Rows[0][0].ToString() == "1")
{
frmMain objfrmMain = new frmMain();
this.Hide();
objfrmMain.Show();
}
else
{
MessageBox.Show("Try again next time.");
}
}
问题:^方法会给我else语句结果在我输入正确的凭据后。然后,我读了一些评论,替代解决方案是 -
2。替代解决方案:
Issue: That ^ method will give me the else statement results even after I put in the correct credentials. Then, I read some comments and the alternative solution was-
2. Alternative solution:
private void btnLogin_Click(object sender, EventArgs e)
{
SqlConnection sqlcon = new SqlConnection(@"Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=C:\Users\run_h\OneDrive\Documents\LoginDB.mdf;Integrated Security=True");
string query = "SELECT count(*) FROM [tblLogin] WHERE username = ' " +txtUsername.Text.Trim()+ " ' and password = ' " +txtPassword.Text.Trim()+" ' ";
SqlDataAdapter sda = new SqlDataAdapter(query, sqlcon);
DataTable dtbl = new DataTable();
sda.Fill(dtbl);
if(dtbl.Rows.Count > 0)
{
frmMain objfrmMain = new frmMain();
this.Hide();
objfrmMain.Show();
}
else
{
MessageBox.Show("Try again next time.");
}
}
问题:替代解决方案,允许我登录和当我没有提供任何凭证时,下一个表格将会出现,如果他们不应该提供错误的凭证。
----
我真不知道如何解决它。有谁知道如何解决这一问题?我非常感谢任何指导。提前谢谢!!
我关注的视频:
在C#中使用Sql Server创建登录窗口 - YouTube [ ^ ]
如何在Visual Studio中使用数据库在C#中创建登录表单?[使用源代码] - YouTube [ ^ ]
----
Issue: The alternative solution, allows me to log in and the next form will appear when I did not put any credentials, AS WELL AS, putting the wrong credentials WHEN THEY SHOULD NOT.
----
I seriously have no idea how to fix it anymore. Does anyone know how to fix this? I really appreciate any guidance. Thank you in advance!!
Videos that I have followed:
Create Login Window in C# Using Sql Server - YouTube[^]
How to Create Login Form in C# with Database in Visual Studio?[With Source Code] - YouTube[^]
----
推荐答案
如果我是坐下来写一个浩不要这样做登录,这段代码可能会出现在书中 - 在如此少的代码行中出现了很多不好的想法......
首先,我可以随意绕过你的密码保护并记录下来在任何没有密码的用户中,只需键入任何用户名,然后输入;; - 作为我的用户名。这称为SQL注入,它会导致用户删除您的数据库。
永远不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度,这可能会破坏您的整个数据库。总是使用参数化查询。
连接字符串时会导致问题,因为SQL会收到如下命令:
If I was to sit down and write a "how not to do it" for logging in, this code could front the book - so many bad ideas in so few lines of code ...
Firstly, I can bypass your password protection at will and log in as any user without a password, just by typing any username, followed by "';--" as my username. This is called SQL Injection and it leads to users deleting your DB.
Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Always use Parameterized queries instead.
When you concatenate strings, you cause problems because SQL receives commands like:
SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'就SQL而言,用户添加的引号会终止字符串,并且您会遇到问题。但情况可能更糟。如果我来并改为输入:x'; DROP TABLE MyTable; - 然后SQL收到一个非常不同的命令:
The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:
SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'哪个SQL看作三个单独的命令:
Which SQL sees as three separate commands:
SELECT * FROM MyTable WHERE StreetAddress = 'x';完全有效的SELECT
A perfectly valid SELECT
DROP TABLE MyTable;完全有效的删除表格通讯和
A perfectly valid "delete the table" command
--'其他一切都是评论。
所以它确实:选择任何匹配的行,从数据库中删除表,并忽略其他任何内容。
所以总是使用参数化查询!或者准备好经常从备份中恢复数据库。你定期做备份,不是吗?
修复整个你的应用程序 - 留下一个并且它是再见宝贝你的数据。
其次,永远不要以明文形式存储密码 - 这是一个主要的安全风险。有关如何在此处执行此操作的信息:密码存储:如何做到这一点。 [ ^ ]
第三,为什么要检索你不会使用的列?永远不要使用 SELECT * FROM ,除非你想要所有的列 - 它是浪费的,在这种情况下是不必要的,因为如果你使用 SELECT COUNT(*)FROM 相反,您可以使用ExecuteScalar而不是DataTable直接获得您感兴趣的计数。
第四,您有多少用户系统允许使用相同的用户名和密码?因为如果它不是至少2,那么你永远不会记录任何人:
And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.
So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?
Fix that throughout your app - leave one in and it's "bye bye baby" to your data.
Secondly, never store passwords in clear text - it is a major security risk. There is some information on how to do it here: Password Storage: How to do it.[^]
Third, Why retrieve columns you aren't going to use? Never use SELECT * FROM unless you want all the columns - it's wasteful, and in this case unnecessary because if you used SELECT COUNT(*) FROM instead, you could use ExecuteScalar instead of a DataTable and get just the count you are interested in directly.
Fourth, how many users does your system allow to have the same username and password? Because if it isn't at least 2 then you will never log anyone in:
if(dtbl.Rows.Count > 1)
string query = "SELECT count(*) FROM [tblLogin] WHERE username = ' " +txtUsername.Text.Trim()+ " ' and password = ' " +txtPassword.Text.Trim()+" ' ";
您需要学习使用调试器。如果txtUsername中有admin,txtPassword中有password并运行上面的代码,请使用调试器查看query的内容。这将是
You need to learn to use the debugger. If you have "admin" in txtUsername and "password" in txtPassword and run the above code, use the debugger to look at the contents of "query". It will be
SELECT count(*) FROM [tblLogin] WHERE username = ' admin ' and password = ' password '
空格也是字符,不会被忽略,系统中的每个用户名和每个密码都有一个前导和尾随空间?
'admin'
与
$ b $不一样b
'admin'
Spaces are characters too, they are not ignored, does every username and every password in your system have a leading and trailing space?
' admin '
is not the same as
'admin'
这篇关于为什么即使使用正确的凭据我也无法登录?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
