当我创建注册页面的网站时,我收到了这个错误 [英] I am getting this error......when I create the website for registration page
问题描述
错误:System.Data.SqlClient.SqlException(0x80131904):'france'附近的语法不正确。在System.Data.SqlClient.SqlConnection.OnError(SqlException异常,布尔breakConnection)处于System.Data.SqlClient.SqlInternalConnection.OnError(SqlException异常,布尔breakConnection)的System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning()处于System.Data System.SData.SqlClient.SqlCommand.InternalExecuteNonQuery( DbAsyncResult结果,String methodName,Boolean sendToPipe)在Registrtion.Button1_Click(对象发送者,EventArgs e)中的System.Data.SqlClient.SqlCommand.ExecuteNonQuery()中c:\ Users \ adcc \ DocumentA \\ Visual Studio 2010 \ nWebSitesk \ Registrtion.aspx.cs:第42行
我尝试了什么:
我的代码
使用System ;
使用System.Collections.Generic;
使用System.Linq;
使用System.Web;
使用System.Web.UI;
使用System.Web.UI.WebControls;
使用System.Data.SqlClient;
使用System。配置;
公共部分类注册:System.Web.UI.Page
{
protected void Page_Load (对象发送者,EventArgs e)
{
if(IsPostBack)
{
SqlConnection con = new SqlConnection (ConfigurationManager.ConnectionStrings [ConnectionString]。ConnectionString);
con.Open();
SqlCommand com = new SqlCommand(从userdata中选择count(*),其中username ='+ TextBoxun +'和passward ='+ TextBoxpass +',con);
int temp = Convert.ToInt32(com.ExecuteScalar ().ToString());
if(temp == 1)
{
Response.Write(用户已存在);
}
con.Close();
}
}
protected void Button1_Click(object sender,EventArgs e)
{
try
{
SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings [ConnectionString]。ConnectionString);
con.Open();
SqlCommand cmd = new SqlCommand(insert into userdata(username,passward,mobileno,emailid,country)values('+ TextBoxun.Text +','+ TextBoxpass +' ,'+ TextBoxmno +','+ TextBoxeid.Text +','+ dropcountry.SelectedValue +',con);
/ * cmd。 Parameters.AddWithValue(@ uname,TextBoxun.Text);
cmd.Parameters.AddWithValue(@ passward,TextBoxpass.Text);
cmd.Parameters。 AddWithValue( @ MNO,TEXTB oxmno.Text);
cmd.Parameters.AddWithValue(@ email,TextBoxeid.Text);
cmd.Parameters.AddWithValue(@ ucountry,dropcountry。 SelectedValue); * /
cmd.ExecuteNonQuery();
Response.Redirect(Default.aspx);
Response.Write( 成功注册);
con.Close();
}
catch(exception ex)
{
Response.Write(error:+ ex.ToString());
}
}
}
您的代码容易受到 SQL注入 [ ^ ]。 从不使用字符串连接来构建SQL查询。 总是使用参数化查询。
修复该漏洞,您还将修复错误:
< pre lang =C#> protected void Page_Load( object sender,EventArgs e)
{
if (IsPostBack)
{
using (SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings [ ConnectionString]。ConnectionString))
使用(SqlCommand com = new SqlCommand( 从userdata中选择count(*),其中username = @Username and passward = @Password,con)
{
com.Parameters.AddWithValue( @ Username,TextBoxun.Text);
com.Parameters.AddWithValue( @ Password,TextBoxpass);
con.Open();
int temp = Convert.ToInt32(com.ExecuteScalar());
if (temp == 1 )
{
回复。写( 用户已存在);
}
}
}
}
受保护 void Button1_Click( object sender,EventArgs e)
{
using using (SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings [ ConnectionString]。ConnectionString))
使用(SqlCommand cmd = new SqlCommand( 插入userdata(username,passward,mobileno,emailid,country)值(@ username,@密码,@ mobileno,@ emailid,@ country),con))
{
cmd.Parameters.AddWithValue( @ username,TextBoxun.Text);
cmd.Parameters.AddWithValue( @ password,TextBoxpass.Text);
cmd.Parameters.AddWithValue( @ mobileno,TextBoxmno.Text);
cmd.Parameters.AddWithValue( @ emailid,TextBoxeid.Text);
cmd.Parameters.AddWithValue( @ country,dropcountry.SelectedValue);
con.Open();
cmd.ExecuteNonQuery();
Response.Redirect( Default.aspx);
}
}
现在您需要修复密码存储空间。您目前将密码存储为纯文本,这是一个极其坏主意。您应该只存储用户密码的盐渍哈希,每个记录使用一个唯一的盐。
停止重新发明轮子并使用一个更简单内置身份验证系统:
- ASP.NET身份 [< a href =https://www.asp.net/identitytarget =_ blanktitle =新窗口> ^ ]
- ASP.NET会员资格 [ ^ ]
你想要的一切了解SQL注入(但不敢问)|特洛伊亨特 [ ^ ]
如何在没有技术术语的情况下解释SQL注入? |信息安全堆栈交换 [ ^ ]
查询参数化备忘单| OWASP [ ^ ]
简单解释安全密码验证 [ ^ ]
Salted Password Hashing - 正确行事 [ ^ ]
error:System.Data.SqlClient.SqlException (0x80131904): Incorrect syntax near 'france'. at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection) at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection) at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning() at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj) at System.Data.SqlClient.SqlCommand.RunExecuteNonQueryTds(String methodName, Boolean async) at System.Data.SqlClient.SqlCommand.InternalExecuteNonQuery(DbAsyncResult result, String methodName, Boolean sendToPipe) at System.Data.SqlClient.SqlCommand.ExecuteNonQuery() at Registrtion.Button1_Click(Object sender, EventArgs e) in c:\Users\adcc\Documents\Visual Studio 2010\WebSitesk\Registrtion.aspx.cs:line 42
What I have tried:
my code
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.SqlClient;
using System.Configuration;
public partial class Registrtion : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
if (IsPostBack)
{
SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString);
con.Open();
SqlCommand com=new SqlCommand( "select count(*) from userdata where username='" + TextBoxun + "' and passward='" + TextBoxpass + "'",con);
int temp = Convert.ToInt32(com.ExecuteScalar().ToString());
if(temp==1)
{
Response.Write("user already exists");
}
con.Close();
}
}
protected void Button1_Click(object sender, EventArgs e)
{
try
{
SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString);
con.Open();
SqlCommand cmd = new SqlCommand("insert into userdata(username,passward,mobileno,emailid,country) values('"+TextBoxun.Text+"','"+TextBoxpass+"','"+TextBoxmno+"','"+TextBoxeid.Text+"','"+ dropcountry.SelectedValue+"'",con);
/* cmd.Parameters.AddWithValue("@uname", TextBoxun.Text);
cmd.Parameters.AddWithValue("@passward",TextBoxpass.Text );
cmd.Parameters.AddWithValue("@mno",TextBoxmno.Text );
cmd.Parameters.AddWithValue("@email", TextBoxeid.Text);
cmd.Parameters.AddWithValue("@ucountry", dropcountry.SelectedValue);*/
cmd.ExecuteNonQuery();
Response.Redirect("Default.aspx");
Response.Write("succesfully registered");
con.Close();
}
catch (Exception ex)
{
Response.Write("error:" + ex.ToString());
}
}
}
Your code is vulnerable to SQL Injection[^]. NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.
Fix that vulnerability, and you will also fix the error:
protected void Page_Load(object sender, EventArgs e) { if (IsPostBack) { using (SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString)) using (SqlCommand com = new SqlCommand("select count(*) from userdata where username = @Username and passward = @Password",con) { com.Parameters.AddWithValue("@Username", TextBoxun.Text); com.Parameters.AddWithValue("@Password", TextBoxpass); con.Open(); int temp = Convert.ToInt32(com.ExecuteScalar()); if (temp == 1) { Response.Write("user already exists"); } } } } protected void Button1_Click(object sender, EventArgs e) { using (SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString)) using (SqlCommand cmd = new SqlCommand("insert into userdata (username, passward, mobileno, emailid, country) values (@username, @password, @mobileno, @emailid, @country)", con)) { cmd.Parameters.AddWithValue("@username", TextBoxun.Text); cmd.Parameters.AddWithValue("@password", TextBoxpass.Text); cmd.Parameters.AddWithValue("@mobileno", TextBoxmno.Text); cmd.Parameters.AddWithValue("@emailid", TextBoxeid.Text); cmd.Parameters.AddWithValue("@country", dropcountry.SelectedValue); con.Open(); cmd.ExecuteNonQuery(); Response.Redirect("Default.aspx"); } }
Now you need to fix your password storage. You're currently storing passwords as plain text, which is an extremely bad idea. You should only ever store a salted hash of the user's password, using a unique salt per record.
It would be far simpler to stop reinventing the wheel, and use one of the built-in authentication systems:
Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]
Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^]
这篇关于当我创建注册页面的网站时,我收到了这个错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
