例外(短代码)C#HELP [英] Exception (Short Code) C#HELP
本文介绍了例外(短代码)C#HELP的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
伙计们,我检查了代码20次,我只是找不到导致异常的原因。代码对我来说似乎是正确的!
我总是得到一个例外:
System.Data.OleDb.OleDbException
编辑:
异常现在
现在 i get a diffrent 异常 说:
System 。 Data 。 OleDb .OleDbException
Addional 信息: 至少 一个 parmaters value 缺失!
相同 < span class =code-leadattribute> Line
(OleDbDataReader reader < span class =code-leadattribute> = command .ExecuteReader();)
希望有人可以帮助我
使用系统;
使用 System.Collections.Generic;
使用 System.ComponentModel;
使用 System.Data;
使用 System.Drawing;
使用 System.Linq;
使用 System.Text;
使用 System.Threading.Tasks;
使用 System.Windows.Forms;
使用 System.Data.OleDb;
命名空间 WindowsFormsApplication5
{
public partial class Form1:Form
{
private OleDbConnection connection = new OleDbConnection();
public Form1()
{
InitializeComponent();
connection.ConnectionString = @ Provider = Microsoft.ACE.OLEDB.12.0; Data Source = \\\ \\ xxxx.acddb;
Persist Security Info = False;;
}
private void Form1_Load( object sender,EventArgs e)
{
try
{
connection.Open();
ConnectionOk.Text = Connection sucesfull !!;
connection.Close();
} catch (Exception ex)
{
MessageBox.Show( 错误! + ex);
}
}
private void btn_Login_Click( object sender,EventArgs e)
{
connection.Open();
OleDbCommand command = new OleDbCommand();
command.Connection = connection;
编辑:
从更改
// command.CommandText =SELECT * FROM EmployeData WHERE Benutzer ='+ txt_Username.Text +'AND Passwort'+ txt_Password.Text +';;
TO:
command.CommandText = string .Format( SELECT * FROM EmployeData WHERE Benutzer ='{0}'AND Passwort ='{1}',txt_Username.Text,txt_Password。文本);
OleDbDataReader reader = command.ExecuteReader();
// 这是我得到异常的地方
int count = 0 ;
while (reader.Read())
{
count ++;
}
如果(count == 1 )
{
MessageBox.Show( Anmeldung erfolgreich!);
}
if (count > 1 )
{
MessageBox.Show( 重复的用户名和密码);
}
else
{
MessageBox.Show( Anmeldung fehlgeschlagen!Passwort oder Benutzername nicht korrekt!);
}
connection.Close();
}
}
}
解决方案
永远不要连接值直接到你的Sql语句。这使您可以完全接受SQL注入。而是使用 OleDbParameter [ ^ ]
所以你的SELECT基本上应该像
command.CommandText = SELECT * FROM EmployeData WHERE Benutzer =?AND Passwort =?;
但这还不对。您似乎将密码存储为纯文本,并将其与数据库中的值进行比较。这也是永远不应该做的事情。请浏览密码存储:如何操作。 [ ^ ]
sql语句中有拼写错误:SELECT * FROM EmployeData WHERE Benutzer ='+ txt_Username.Text +'AND Passwort ='+ txt_Password.Text +';
但是,连接参数与sql邀请sql注入,使用参数化查询。请参阅:给我参数化SQL,或者给我死亡 [< a href =http://blog.codinghorror.com/give-me-parameterized-sql-or-give-me-death/target =_ blanktitle =New Window> ^ ]
你所关注的教程是可怕的。
- 和其他人一样已经提到过,使用字符串连接来构建SQL查询会使您的代码容易受到 SQL注入 [ ^ 。您应该使用参数化查询。
- 以纯文本格式存储密码是一个非常糟糕的主意。您应该只存储密码的盐渍哈希。
安全密码验证简单说明 [ ^ ]
Salted Password Hashing - 正确行事 [ ^ ]- 通常应该在需要时创建连接对象,而不是存储在类级字段中。
- 实现
IDisposable的对象应该包含在使用阻止。- 在最后一组
中,如果阻止,则缺少else在第二个之前,如果。没有它,如果单个记录匹配,您将同时获得登录成功和无效的用户名或密码消息。
这是一个整理的代码版本。
注意:它仍然无法解决密码存储问题,这需要更改数据库。
使用系统;
使用 System.Data;
使用 System.Data.OleDb;
使用 System.Windows.Forms;
命名空间 WindowsFormsApplication5
{
public partial class Form1:Form
{
private const string ConnectionString = @ Provider = Microsoft.ACE.OLEDB.12.0; Data Source = \\xxx.acddb; Persist Security Info = False;;
public Form1()
{
InitializeComponent();
}
private void Form1_Load( object sender,EventArgs e)
{
try
{
using (OleDbConnection connection = new OleDbConnection(ConnectionString))
{
connection.Open( );
ConnectionOk.Text = Connection sucesfull !!;
}
}
catch (Exception ex)
{
MessageBox.Show( 错误! + ex);
}
}
private void btn_Login_Click( object sender,EventArgs e)
{
using (OleDbConnection connection = new OleDbConnection(ConnectionString))
使用(OleDbCommand command = new OleDbCommand())
{
command.Connection = connection;
command.CommandText = SELECT * FROM EmployeeData WHERE Benutzer =?And Passwort =? ;
// OleDbCommand不使用参数名称;
// 您只需按照它们在查询中显示的顺序添加它们。
command.Parameters.AddWithValue( p0,txt_Username.Text);
command.Parameters.AddWithValue( p1,txt_Password.Text);
connection.Open();
int count = 0 ;
使用(OleDbDataReader reader = command.ExecuteReader(CommandBehavior.CloseConnection))
{
while (reader.Read())
{
count ++;
}
}
如果(count == 1 )
{
MessageBox.Show( Anmeldung erfolgreich!) ;
}
else if (count > 1 )
{
MessageBox.Show( 重复的用户名和密码);
}
else
{
MessageBox.Show( Anmeldung fehlgeschlagen!Passwort oder Benutzername nicht korrekt!);
}
}
}
}
}
让我再说一遍:这仍然无法解决密码存储问题。
简单安全密码认证解释 [ ^ ]
Salted密码哈希 - 正确行事 [ ^
Hi guys, i checked the Code like 20 times i just cant find what cause the Exception. Code seems correct to me!
I Allways get an Exception :
"System.Data.OleDb.OleDbException"
EDIT:
Exception now
Now i get a diffrent Exception which says:
"System.Data.OleDb.OleDbException"
Addional Information: atleast one parmaters value is missing!
at the same Line
(OleDbDataReader reader = command.ExecuteReader();)
Hopefully someone can help me out
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Windows.Forms;
using System.Data.OleDb;
namespace WindowsFormsApplication5
{
public partial class Form1 : Form
{
private OleDbConnection connection = new OleDbConnection();
public Form1()
{
InitializeComponent();
connection.ConnectionString = @"Provider=Microsoft.ACE.OLEDB.12.0;Data Source=\\xxx.acddb;
Persist Security Info=False;";
}
private void Form1_Load(object sender, EventArgs e)
{
try
{
connection.Open();
ConnectionOk.Text = "Connection sucesfull!!";
connection.Close();
}catch(Exception ex)
{
MessageBox.Show("Error!" + ex);
}
}
private void btn_Login_Click(object sender, EventArgs e)
{
connection.Open();
OleDbCommand command = new OleDbCommand();
command.Connection = connection;
EDIT:
Changed from
//command.CommandText = "SELECT *FROM EmployeData WHERE Benutzer='" + txt_Username.Text + "' AND Passwort'" + txt_Password.Text + "'; ";
TO:
command.CommandText = string.Format("SELECT * FROM EmployeData WHERE Benutzer = '{0}' AND Passwort = '{1}'", txt_Username.Text, txt_Password.Text);
OleDbDataReader reader = command.ExecuteReader();
//This is where i get the Exception
int count = 0;
while(reader.Read())
{
count++;
}
if(count == 1)
{
MessageBox.Show("Anmeldung erfolgreich!");
}
if (count > 1)
{
MessageBox.Show("Duplicate Username and password ");
}
else
{
MessageBox.Show("Anmeldung fehlgeschlagen! Passwort oder Benutzername nicht korrekt!");
}
connection.Close();
}
}
} 解决方案
Never concatenate values directly to your Sql statements. This leaves you wide open to SQL injections. Instead use OleDbParameter[^]
So your SELECT should basically be something like
command.CommandText = "SELECT *FROM EmployeData WHERE Benutzer=? AND Passwort = ?";
BUT that's not right yet. It seems that you store the password as a plain text and compare it to the value in database. This is something that also should never be done. Please go through Password Storage: How to do it.[^]
There typo in sql statement:"SELECT * FROM EmployeData WHERE Benutzer='" + txt_Username.Text + "' AND Passwort ='" + txt_Password.Text + "';"
However, concatenating parameter with sql invites sql injection, use parameterized query. Refer:Give me parameterized SQL, or give me death[^]
The tutorial you're following is terrible.
- As others have mentioned, using string concatenation to build SQL queries leaves your code vulnerable to SQL Injection[^]. You should be using a parameterized query instead.
- Storing passwords in plain-text is a very bad idea. You should only ever store a salted hash of the password.
Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^]- Connection objects should generally be created when needed, not stored in class-level fields.
- Objects which implement
IDisposableshould be wrapped in ausingblock.- In the final set of
ifblocks, there's a missingelsebefore the secondif. Without it, if a single record matches, you will get both the "login succeeded" and the "invalid username or password" messages.
Here's a tidied-up version of the code.
NB: It still doesn't address the password storage issues, which would need changes to your database.
using System; using System.Data; using System.Data.OleDb; using System.Windows.Forms; namespace WindowsFormsApplication5 { public partial class Form1 : Form { private const string ConnectionString = @"Provider=Microsoft.ACE.OLEDB.12.0;Data Source=\\xxx.acddb;Persist Security Info=False;"; public Form1() { InitializeComponent(); } private void Form1_Load(object sender, EventArgs e) { try { using (OleDbConnection connection = new OleDbConnection(ConnectionString)) { connection.Open(); ConnectionOk.Text = "Connection sucesfull!!"; } } catch(Exception ex) { MessageBox.Show("Error!" + ex); } } private void btn_Login_Click(object sender, EventArgs e) { using (OleDbConnection connection = new OleDbConnection(ConnectionString)) using (OleDbCommand command = new OleDbCommand()) { command.Connection = connection; command.CommandText = "SELECT * FROM EmployeeData WHERE Benutzer = ? And Passwort = ?"; // OleDbCommand doesn't use the parameter names; // you just need to add them in the same order they appear in the query. command.Parameters.AddWithValue("p0", txt_Username.Text); command.Parameters.AddWithValue("p1", txt_Password.Text); connection.Open(); int count = 0; using (OleDbDataReader reader = command.ExecuteReader(CommandBehavior.CloseConnection)) { while (reader.Read()) { count++; } } if (count == 1) { MessageBox.Show("Anmeldung erfolgreich!"); } else if (count > 1) { MessageBox.Show("Duplicate Username and password "); } else { MessageBox.Show("Anmeldung fehlgeschlagen! Passwort oder Benutzername nicht korrekt!"); } } } } }
Let me repeat: This still doesn't address the password storage issues.
Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^]
这篇关于例外(短代码)C#HELP的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
