如何更新密码? [英] how to update password ?
本文介绍了如何更新密码?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
Protected Sub btnChangepassword_Click(ByVal sender As Object, ByVal e As EventArgs) Handles btnChangepassword.Click
com.Connection = con
con.Open()
com.CommandText = "SELECT password FROM signUp WHERE password =@password"
com.Parameters.Add(New SqlClient.SqlParameter("@password", txtPassword.Text))
Dim str As String = com.ExecuteScalar
If str = "" Then
lblusernametaken.Visible = False
Else
lblusernametaken.Visible = True
Exit Sub
End If
Dim sql As String = String.Empty
sql = "update signUp set password='" & txtNewPassword.Text & "' where empId='" & lblempid.Text & "'"
Dim cmd As New SqlCommand(sql, con)
cmd.ExecuteNonQuery()
con.Close()
End Sub
这个代码有什么问题plz帮助
what's wrong with this code plz help
推荐答案
方式你必须更新密码是有效的,但这不是好方法。它可能受SQL注入问题的影响。因此,请使用Store过程更改密码,如下所示:
Hi,
The way you have to update password is valid but it is not good way. It can affected by SQL injection problem. So use Store procedure to change password as follows:
CREATE PROCEDURE (@Oldpwd varchar(20), @Newpwd varchar(20), @Empid int)
as
begin
if exists(select * from signUp WHERE password =@Oldpwd and empid=@Empid)
begin
update signUp set password=@Newpwd where empid=@Empid
end
end
如果您有任何疑问,请告诉我。 。
Let me know if you have any questions.
这里需要更改的两件事:
首先,不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度,这可能会破坏您的整个数据库。请改用参数化查询。
其次,永远不要以明文形式存储密码 - 这是一个主要的安全风险。有关如何在此处执行此操作的信息:密码存储:如何做到这一点。 [ ^ ]
修好后,你的问题很可能会消失......
Two major things you need to change here:
First, do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
Second, never store passwords in clear text - it is a major security risk. There is some information on how to do it here: Password Storage: How to do it.[^]
When you have fixed those, the chances are your problem will have disappeared anyway...
这篇关于如何更新密码?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
