用户'sa'登录失败。描述：执行当前Web请求期间发生未处理的异常。请查看堆栈跟踪以获取有关错误的更多信息和... [英] Login failed for user 'sa'. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and...

问题描述

如何解决这个错误





SqlCommand cmd = new SqlCommand（select system（*）from systemlogin where Username =' + Textbox1.Text +'，'+ Textbox2.Text +'，con）;



cmd.Parameters.AddWithValue（@ Username， Textbox1.Text）;

cmd.Parameters.AddWithValue（@ Password，Textbox2.Text）;

SqlDataAdapter da = new SqlDataAdapter（cmd）;

DataTable dt = new DataTable（）;

da.Fill（dt）;



if（dt.Rows.Count> 0）

{

Response.Redirect（design.aspx） ）;

}

else

{

Response.Write（无效的名字）;

}

how to solve this error


SqlCommand cmd = new SqlCommand("select Count(*) from systemlogin where Username='" + Textbox1.Text + "','" + Textbox2.Text + "'", con);

cmd.Parameters.AddWithValue("@Username", Textbox1.Text);
cmd.Parameters.AddWithValue("@Password", Textbox2.Text);
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataTable dt = new DataTable();
da.Fill(dt);

if (dt.Rows.Count>0)
{
Response.Redirect("design.aspx");
}
else
{
Response.Write("Invalid name");
}

推荐答案

好悲伤！

所以在一个问题上要做很多坏事......


首先，为什么你使用用户sa？这是整个SQL实例的默认系统管理员，它完全控制所有数据库，而不仅仅是你的数据库。因此，从安全的角度来看，在您的代码中使用它是一个非常非常糟糕的想法 - 您应该使用具有足够权限的用户来完成他的工作 - 在该数据库上。 sa用户甚至不应该存在，或者应该在安装完成后立即更改密码！



这导致我们进入第二点：不要连接字符串构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度，这可能会破坏您的整个数据库。请改用参数化查询。将此与使用sa访问相结合，您可以在服务器上冒险使用evey数据库...



并谈论风险......第三件事：永远不要存储密码明文 - 这是一个重大的安全风险。有关如何在此处执行此操作的信息：密码存储：如何做到这一点。 [ ^ ]



那么......是什么导致了你的问题？我怀疑这是因为你从互联网上抓取了一些代码，看起来它可能会像你想要的那样做，并把它放到你的应用程序中而不考虑它应该如何工作。



不要。

Good grief!
So very many bad things to do in one question...

First off, why the heck are you using user "sa"? That is the default system admin for the whole SQL instance, and it has complete control over all databases, not just yours. So from a security point of view it's a very, very poor idea to use it in your code - you should be using a user with just enough permissions to do his job - on that one database. The "sa" user should not even exist, or should have it's password changed immediately the installation is complete!

Which leads us into the second point: Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead. Combine this with using "sa" access, and you risk evey database on the server...

And talking of risks...The third thing: Never store passwords in clear text - it is a major security risk. There is some information on how to do it here: Password Storage: How to do it.[^]

So...what's causing your problem? I suspect that it's because you have grabbed some code from the internet which looks like it might do something like what you want, and chucked it into your application without thinking about how it is supposed to work.

Don't.

这篇关于用户'sa'登录失败。描述：执行当前Web请求期间发生未处理的异常。请查看堆栈跟踪以获取有关错误的更多信息和...的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！