为什么这段代码不起作用 [英] why is this code not working

问题描述

这是登录按钮的代码，应该检查数据库然后显示另一个表单。但是它总是在这里给我其他部分，我在这里做错了什么。

this is the code for login button that should check the database and then show another form.but instead its always giving me the else part here, what am i doing wrong here.

{
            SqlConnection con = new SqlConnection(@"Data Source=SAJJAD-PC;Initial Catalog=hotel;Integrated Security=True;");
            
            SqlDataAdapter sda = new SqlDataAdapter("select count(*) from login where username = '" + usernametxtbox+"'and password = '" +passwordtxtbox+"'",con);
 
            DataTable dt = new DataTable();
            sda.Fill(dt);
 

 

            if (dt.Rows[0][0].ToString() == "1")
            {
 
                con.Open();
 

                this.Hide();
                Form5 form5 = new Form5();
                form5.Show();
 
            }
            else
            {
                MessageBox.Show("Please Check your username and password again !");
            }

推荐答案

Dark Commet写道：

Dark Commet wrote:

我在这里做错了什么。

你想要一份清单吗？ ：笑：



老实说，答案是几乎所有东西。

你打破了数据库的两个第一规则：

1）不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度，这可能会破坏您的整个数据库。请改用参数化查询。

2）绝不以明文形式存储密码 - 这是一个主要的安全风险。有关如何在此处执行此操作的信息：密码存储：如何做到这一点。 [ ^ ]



然后，您不会检查数据中是否有任何值：

Would you like a list? :laugh:

Being honest, the answer is "pretty much everything".
You break the two first rules of databases:
1) Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
2) Never store passwords in clear text - it is a major security risk. There is some information on how to do it here: Password Storage: How to do it.[^]

Then, you don't check to see if there are any values in your data:

sda.Fill(dt);
if (dt.Rows[0][0].ToString() == "1")

然后你不必要地转换为字符串，并进行字符串比较，你使用表单的默认名称，你不处理拥有稀缺资源的对象，你不做任何错误检查，你......



你明白了。你还有很长的路要走。



所以请点击链接，阅读那里的代码，然后更改你的数据库以支持散列密码。

返回用户名的哈希密码，并比较该密码而不是尝试获取计数。请 - 为了您自己 - 始终使用参数化查询！

Then you unnecessarily convert to string, and do string comparisons,you use default names for forms, you don't dispose of objects that hold scarce resources, you don't do any error checking, you...

You get the idea. You have a long way to go.

So follow the link, have a read of the code there, and then change your db to support hashed passwords.
Return the hashed password for the user name, and compare that instead of trying to get the count. And please - for your own sake - use parameterised queries at all times!

这篇关于为什么这段代码不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！