索引超出了数组的范围？ [英] Index was outside the bounds of array ?

问题描述

你好

i在我的项目中遇到这个错误

索引超出了数组的范围

i已经正确地给出了索引但是也有一直出现同样的错误

请帮帮我



这里是代码





protected void btnsumit_Click（object sender，EventArgs e）

{



string Username = txtusername .Text;

string SecAns = txtans.Text;



SqlCommand cmd = new SqlCommand（从Info中选择密码，其中Username =' +用户名+'和SecAns ='+ SecAns +'，con）;

con.Open（）;

SqlDataReader dr;

dr = cmd.ExecuteReader（）; //这里我收到错误

if（dr.HasRows）

{

while（ dr.Read（））

{

lbl.Text = dr [5] .ToString（）; //这里我收到错误





}

}



con.Open（）;

cmd.ExecuteNonQuery（）;

con.Close（）;

< br $>
}



我尝试过：



我已经尽了一切可能

但仍然得到错误...请帮助......紧急

解决方案

dr [5] 根据错误引用不存在的行的第6个元素。使用调试器逐步执行代码，看看 dr 的内容是什么样的，你期望它们是什么，以及可能导致意外结果的原因。 />


（另请注意，C＃数组使用从零开始的索引，这意味着 0 指的是第一个元素，所以 5 指的是第6个元素。）



另见Richard的答案（解决方案2）以获得关键安全性关注。

首先修复 SQL注入 [ ^ ]漏洞。有了这些，您可能也没有用户帐户，因为您可以完全访问整个数据库以任意三个岁的人可以按一个按钮 [ ^ ]。



您还需要查看存储数据的方式。安全问题的答案应该被视为密码 - 你必须从不以纯文本形式存储它们：

简单安全密码验证说明 [ ^ ]

Salted Password Hashing - 正确行事 [ ^ ]



作为推论，您不构建忘记密码页面;你建立一个重置密码页面。如果用户忘记了密码，则无需告诉他们密码是什么;你只需要改变它并告诉他们新密码是什么。

Troy Hunt：您想要了解的有关构建安全密码重置功能的所有内容 [ ^ ]



关于您的错误，您选择单个字段。返回的记录将包含单个字段。如果你试图访问单个字段记录的第六个字段，你显然会得到一个索引超出范围的例外。



但严重的是，不要't 只是修复了索引错误并继续前进。您正在构建一个注定要被黑客攻击的应用程序，并且当您的密码和个人信息被盗时，您最终将不得不向您的用户支付巨额赔偿。



（顺便说一下，对于这里的任何人来说都不是紧急。在你的问题上加上迫在眉睫只是粗鲁。）

---

关于SQL注入的所有想法（但是不敢问）|特洛伊亨特 [ ^ ]

如何在没有技术术语的情况下解释SQL注入？ |信息安全堆栈交换 [ ^ ]

查询参数化备忘单| OWASP [ ^ ]

Quote：

我已经正确地给出了索引但是也一直有同样的错误

不，你认为你有，但是如果你一直收到错误，那就不正确了。

请注意，在不同的地方，不同的操作不能有相同的错误信息。

唯一的解决方案是看看使用调试器是什么，它将允许你在错误点检查变量。

有一个几乎通用的解决方案：运行你的调试器上的代码一步一步，检查变量。

调试器在这里向您展示您的代码正在做什么，您的任务是与它应该做什么进行比较。

在调试器中没有魔法，它不知道你应该做什么，它没有找到bug，它只是通过向你展示我是什么来帮助你继续当代码没有达到预期的效果时，你就接近了一个错误。

要查看你的代码在做什么：只需设置断点并查看代码是否正常运行，调试器允许你执行第1行第1行，并在执行时检查变量。

调试器 - 维基百科，免费的百科全书 [ ^ ]



掌握Visual Studio 2010中的调试 - 初学者指南 [ ^ ]

使用Visual Studio 2010进行基本调试 - YouTube [ ^ ]

在Visual Studio中调试C＃代码 - YouTube [ ^ ]

调试器只显示你的代码正在做，你的任务是与它应该做的事情进行比较。



-----

 SqlCommand cmd =  new  SqlCommand（ 从Info中选择密码其中Username =' +用户名+  '和SecAns =' + SecAns +  '，con）; 

不是你问题的解决方案，而是你遇到的另一个问题。

永远不要通过连接字符串来构建SQL查询。迟早，您将使用用户输入来执行此操作，这会打开一个名为SQL注入的漏洞，这对您的数据库很容易并且容易出错。

名称中的单引号你的程序崩溃。如果用户输入像Brian O'Conner这样的名称可能会使您的应用程序崩溃，那么这是一个SQL注入漏洞，崩溃是最少的问题，恶意用户输入，并且它被提升为具有所有凭据的SQL命令。

SQL注入 - 维基百科 [ ^ ]

SQL注入 [ ^ ]

按示例进行SQL注入攻击 [ ^ ]

PHP：SQL注入 - 手册 [ ^ ]

SQL注入预防备忘单 - OWASP [ ^ ]

Hello
i am getting this error in my project
index was outside the bounds of array
i have given index correctly but too the have same error coming all the time
please help me

here is the code


protected void btnsumit_Click(object sender, EventArgs e)
{

string Username = txtusername.Text;
string SecAns = txtans.Text;

SqlCommand cmd = new SqlCommand("select Password from Info where Username='" + Username + "' and SecAns='" + SecAns + "'", con);
con.Open();
SqlDataReader dr;
dr = cmd.ExecuteReader();//Here i get error
if (dr.HasRows)
{
while (dr.Read())
{
lbl.Text = dr[5].ToString(); // here i am getting error


}
}

con.Open();
cmd.ExecuteNonQuery();
con.Close();

}

What I have tried:

I have tried everything possible
but still getting the error...pls help ...its urgent

解决方案

dr[5] refers to the 6th element of the row which doesn't exist, based on the error. Use a debugger to step through the code and see what the contents of dr look like, what you were expecting them to be, and what could be causing the unexpected result.

(Also note that C# arrays use zero-based indices, which means that 0 refers to the first element so 5 refers to the 6th element.)

[Edit] Also see Richard's answer (Solution 2) for critical security concerns.

Start by fixing the SQL Injection[^] vulnerability in your code. With that in place, you might as well not have user accounts, because you're giving complete access to your entire database to any three-year-old who can press a button[^].

You also need to review how you're storing the data. Answers to security questions should be treated like passwords - you must NEVER store them in plain text:
Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^]

As a corollary, you don't build a "forgot password" page; you build a "reset password" page. If the user can't remember their password, there's no need to tell them what it was; you just need to change it and tell them what the new password is.
Troy Hunt: Everything you ever wanted to know about building a secure password reset feature[^]

As to your error, you are selecting a single field. The returned record will contain a single field. If you try to access the sixth field of a single field record, you will obviously get an "index out of range" exception.

But seriously, don't just fix that index error and move on. You're building an application that's destined to be hacked, and you're going to end up having to pay huge amounts of compensation to your users when their passwords and personal information is stolen.

(And by the way, it's not "urgent" for anyone here. Adding "it's urgent" to your questions is just rude.)

---

Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]

Quote:

i have given index correctly but too the have same error coming all the time

No, you think you have, but if you keep getting an error, it is not correct.
Note that you can't have same error message at 2 different places with different operations.
The only solution to see what is what is to use the debugger, it will allow you to inspect variables at point of error.
There is an almost universal solution: Run your code on debugger step by step, inspect variables.
The debugger is here to show you what your code is doing and your task is to compare with what it should do.
There is no magic in the debugger, it don't know what your is supposed to do, it don't find bugs, it just help you to by showing you what is going on. When the code don't do what is expected, you are close to a bug.
To see what your code is doing: Just set a breakpoint and see your code performing, the debugger allow you to execute lines 1 by 1 and to inspect variables as it execute.
Debugger - Wikipedia, the free encyclopedia[^]

Mastering Debugging in Visual Studio 2010 - A Beginner's Guide[^]
Basic Debugging with Visual Studio 2010 - YouTube[^]
Debugging C# Code in Visual Studio - YouTube[^]
The debugger is here to only show you what your code is doing and your task is to compare with what it should do.

-----

SqlCommand cmd = new SqlCommand("select Password from Info where Username='" + Username + "' and SecAns='" + SecAns + "'", con);

Not a solution to your question, but another problem you have.
Never build an SQL query by concatenating strings. Sooner or later, you will do it with user inputs, and this opens door to a vulnerability named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input a name like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability, and the crash is the least of the problems, a malicious user input and it is promoted to SQL commands with all credentials.
SQL injection - Wikipedia[^]
SQL Injection[^]
SQL Injection Attacks by Example[^]
PHP: SQL Injection - Manual[^]
SQL Injection Prevention Cheat Sheet - OWASP[^]

这篇关于索引超出了数组的范围？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！