如何使用mysql在C＃winform中验证用户登录 [英] How to authentication user login in C# winform using mysql

问题描述

我面临用户登录验证方面的问题，其名称和密码与MySQL数据库中的名称和密码相同？请帮助我。我想登录只有那些在数据库和警告信息中的用户才能创建新帐户那些在数据库中没有任何账号的人



我的尝试：



private void AccountLogin（）{



试试

{



string Query =SELECT * FROM acceptor WHERE name ='+ UserNameTxtBox.Text +'AND password ='+ PasswordTxtBox.Text +';

MySqlConnection MyConn2 = new MySqlConnection（MyConnection2）;

MySqlCommand MyCommand2 = new MySqlCommand（Query，MyConn2）;

MySqlDataReader MyReader2;

MyConn2。打开（）;

MyReader2 = MyCommand2.ExecuteReader（）;



MessageBox.Show（Welcome dear'+ UserNameTxtBox.Text +'）;



while（MyReader2。阅读（））

{

}



MyConn2.Close（）;



}



catch（例外情况）

{

MessageBox .Show（ex.Message）;

}

I am facing Problems in Authentication of user Login that name and password is same as Name And Password in MySQL Databases?Kindly help me.I want to Login to Only those user who are in databases and warning message to create new account to those who does't have any account in databases

What I have tried:

private void AccountLogin() {

try
{

string Query = "SELECT * FROM acceptor WHERE name= '" + UserNameTxtBox.Text + "' AND password='" + PasswordTxtBox.Text + "'";
MySqlConnection MyConn2 = new MySqlConnection(MyConnection2);
MySqlCommand MyCommand2 = new MySqlCommand(Query, MyConn2);
MySqlDataReader MyReader2;
MyConn2.Open();
MyReader2 = MyCommand2.ExecuteReader();

MessageBox.Show("Welcome dear'"+UserNameTxtBox.Text+"'");

while (MyReader2.Read())
{
}

MyConn2.Close();

}

catch (Exception ex)
{
MessageBox.Show(ex.Message);
}

推荐答案

不要这样做！永远不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度，这可能会破坏您的整个数据库。改为使用参数化查询。



而且，绝不会以明文形式存储密码 - 这是一个主要的安全风险。有关如何在此处执行此操作的信息：密码存储：如何做到这一点。 [ ^ ] - 它是基于SQL Server的，但它与MySql完全相同。



最后......当你试图检查是否一个用户使用正确的信息登录，看看数据库返回的内容可能是一个好主意，而不是忽略它并假设他们可以登录...你没有得到没有返回行的异常。

Don't do it like that! Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.

And also, never store passwords in clear text - it is a major security risk. There is some information on how to do it here: Password Storage: How to do it.[^] - it's SQL Server based, but it's exactly teh same procedure for MySql.

Finally ... when you try to check if a user is logging in with the right info, it's probably a good idea to look at what the database returns, instead of just ignoring it and assuming they can log in ... you don't get an exception for "no rows returned".

在你的查询中，使用反引号括起你的保留字列名。



所以你的查询如下。



string Query =SELECT * FROM acceptor WHERE`name` ='+ UserNameTxtBox.Text +'AND`password` ='+ PasswordTxtBox.Text + ';



此外，我建议使用参数化查询而不是直接注入值。

In your query, use backtick to enclose your reserved word column names.

So you query would be as below.

string Query = "SELECT * FROM acceptor WHERE `name`= '" + UserNameTxtBox.Text + "' AND `password`='" + PasswordTxtBox.Text + "'";

Also, I would suggest to use parameterized query instead of injecting values directly.

这篇关于如何使用mysql在C＃winform中验证用户登录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！