用户登录失败 [英] Login failed for user
问题描述
System.Data.dll中发生了'System.Data.SqlClient.SqlException'类型的异常,但未在用户代码中处理。我使用以下服务器详细信息与Windows身份验证。
laptop-upd2jgs7 \sqlexpress.college_education.dbo
我尝试过:
SqlConnection con = new SqlConnection();
con.ConnectionString =数据源=。\\sqlexpress;初始目录= college_education;
con.Open();
string q =insert into category_name(category_name) values('+ TextBox1.Text +');
SqlCommand com = new SqlCommand(q,con);
com.ExecuteNonQuery();
Response.Write(alert('Category successfully registered'));
con.Close();
< blockquote>这里有大量可能的东西。
首先,正如Richard所说,你需要修复代码的漏洞:永远不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度,这可能会破坏您的整个数据库。请改用参数化查询。
string q = INSERT INTO category_name(category_name)VALUES(@CN);
使用(SqlCommand com = new SqlCommand(q,con))
{
com.Parameters.AddWithValue( @ CN,TextBox1.Text);
com.ExecuteNonQuery();
} 使用块确保命令关闭并在完成后使用Disposed - 您应该将它用于所有SQL对象(Connections,Commands,DataAdapters,...)
其次,您的连接字符串不包含任何授权信息,例如用户名和密码,或者您使用集成安全性的指示。
看看这个:创建简单SQL连接字符串 [ ^ ] - 它应该可以帮助您创建一个工作字符串。 />
第三,永远不要将连接字符串硬编码到应用程序中 - 总是从配置文件(或者你的情况下是web.config)加载它们。
并帮自己一个忙,并停止使用Visual Studio默认名称 - 你可能还记得tTextBox8是今天的手机号码,但是当你必须在三周内修改它时,你会吗?使用描述性名称 - 例如tbMobileNo - 您的代码变得更容易阅读,更自我记录,更易于维护 - 并且编码速度更快,因为Intellisense可以通过三次击键来tbMobile,其中TextBox8需要思考大概和8次击键......
An exception of type 'System.Data.SqlClient.SqlException' occurred in System.Data.dll but was not handled in user code. i am using the below server details with windows authentication.
laptop-upd2jgs7\sqlexpress.college_education.dbo
What I have tried:
SqlConnection con = new SqlConnection();
con.ConnectionString = "Data Source=.\\sqlexpress;Initial Catalog=college_education";
con.Open();
string q = "insert into category_name(category_name) values('" + TextBox1.Text + "')";
SqlCommand com = new SqlCommand(q, con);
com.ExecuteNonQuery();
Response.Write("alert('Category successfully registered')");
con.Close();
Loads of possible things here.
First off, as Richard has said you need to fix your code's vulnerability: Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
string q = "INSERT INTO category_name (category_name) VALUES (@CN)"; using (SqlCommand com = new SqlCommand(q, con)) { com.Parameters.AddWithValue("@CN", TextBox1.Text); com.ExecuteNonQuery(); }The using block ensures that the command is closes and Disposed when you are finished with it - you should use it for all SQL objects (Connections, Commands, DataAdapters, ...)
Second, your connection string doesn't include any authorization info, such as a username and password, or an indication that you are using integrated security.
Have a look at this: Simple SQL Connection String Creation[^] - it should help you create a working string.
Thirdly, never hard code connection strings into your application - always load them from a configuration file (or web.config in your case).
And do yourself a favour, and stop using Visual Studio default names for everything - you may remember that "TextBox8" is the mobile number today, but when you have to modify it in three weeks time, will you then? Use descriptive names - "tbMobileNo" for example - and your code becomes easier to read, more self documenting, easier to maintain - and surprisingly quicker to code because Intellisense can get to to "tbMobile" in three keystrokes, where "TextBox8" takes thinking about and 8 keystrokes...
这篇关于用户登录失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
