为什么我的更改密码文件给出错误我怎么能有这个错误 [英] Why My Change Password File Gives Error How I Can Some This Error

查看:105
本文介绍了为什么我的更改密码文件给出错误我怎么能有这个错误的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

这是我的登录窗体,我的登录表单工作正常,但在更改密码文件中收到错误请告诉我错误



login.vb文件

this is my login windows form my login form works perfectly but in change password file m getting error please tell me error

login.vb file

Imports System.Windows.Forms
Imports System.Data.SqlClient
Imports System.Data

Public Class frmlogin
    Dim con As New SqlConnection("Data Source=Tarun-PC;Initial Catalog=bdsdb;Integrated Security=True")
    Dim da As SqlDataAdapter
    Dim ds As DataSet
    Private Sub frmlogin_Load(sender As Object, e As EventArgs) Handles MyBase.Load
        txtusername.Focus()
    End Sub

    Private Sub Button1_Click(sender As Object, e As EventArgs) Handles btnclear.Click
        txtusername.Clear()
        txtPassword.Clear()
    End Sub

    Private Sub Button2_Click(sender As Object, e As EventArgs) Handles btnSubmit.Click
        Try
            da = New SqlDataAdapter("select Username ,Password from tblloggin where Username='" & txtusername.Text & "' and Password='" & txtPassword.Text & "'", con)
            ds = New DataSet()
            ' if da return more then 0 row there is a user then he can login 
            ' otherwise he cant becoz no user exist in databases
            da.Fill(ds, "tblloggin")
            'da.Fill(ds)
            If (ds.Tables("tblloggin").Rows.Count > 0) Then
                frmmain.Show()
                Me.Close()
                frmwelcome.Close()
                ' Me.Hide()
            Else
                MessageBox.Show("Incorrect Username and Password", "tblloggin")
            End If

        Catch ex As Exception
            MessageBox.Show("Invalid Operation can not be process")
        End Try
    End Sub

    Private Sub btnCancel_Click(sender As Object, e As EventArgs) Handles btnCancel.Click
        Me.Close()
    End Sub
End Class







changepasseword.vb file






changepasseword.vb file

Imports System.Data
Imports System.Data.SqlClient

Public Class frmchangeprofile
    Dim con As SqlConnection

    Dim cmd As New SqlCommand

    Dim username As String
    Dim password As String
    Private Sub frmchangeprofile_Load(sender As Object, e As EventArgs) Handles MyBase.Load
        con = New SqlConnection("Data Source=Tarun-PC;Initial Catalog=bdsdb;Integrated Security=True")
        con.Open()
        username = frmlogin.txtusername.Text
        password = frmlogin.txtPassword.Text
        txtcpusername.Enabled = False
        txtcpusername.Text = username

    End Sub

    Private Sub btnChangeSubmit_Click(sender As Object, e As EventArgs) Handles btnChangeSubmit.Click
        Try
            If txtcpoldpassword.Text = "" And txtcpnewpassword.Text = "" And txtcpconfirmpassword.Text = "" Then
                MessageBox.Show("Any of the fields can not be left blank")
            ElseIf txtcpoldpassword.Text <> username Then
                MessageBox.Show("Invalid Old Passsword")

            ElseIf txtcpnewpassword.Text <> txtcpconfirmpassword.Text Then
                MessageBox.Show("New Password and Confirm Password does not match")
            Else
                cmd = New SqlCommand()
                cmd.CommandText = "update tbllogin set Password ='" & txtcpnewpassword.Text & "' where Username= '" & username & "'"
                cmd.Connection = con
                cmd.ExecuteNonQuery()
                MsgBox("Password Change successfully")
            End If
        Catch ex As Exception
            MessageBox.Show("Performed Action Cannot be processed")
        End Try

    End Sub

    Private Sub btnClear_Click(sender As Object, e As EventArgs) Handles btnClear.Click
        txtcpoldpassword.Clear()
        txtcpnewpassword.Clear()
        txtcpconfirmpassword.Clear()
    End Sub

    Private Sub btnClose_Click(sender As Object, e As EventArgs) Handles btnClose.Click
        Me.Close()
    End Sub
End Class

推荐答案

这里有很多很多东西,我几乎不知道从哪里开始...

让我们先从reall开始是危险的,我们应该吗?





不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度,这可能会破坏您的整个数据库。请改用参数化查询。特别是您的登录代码不仅可以让我破坏您的数据库,而且允许我在没有密码的情况下以任何人身份登录,只需在我输入时在用户名的末尾添加四个字符:

There are so many, many things here that I hardly know where to start...
Let's start with the really dangerous one, shall we?


Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead. Particularly with your login code which not only lets me destroy your database, but allows me to log in as anyone at all without a password, simply by adding four characters to the end of the username when I enter it: 
';--





其次,让我们介绍一下存储密码的方式:永远不要存储密码明文 - 这是一个重大的安全风险。有关如何在此处执行此操作的信息:密码存储:如何做到这一点。 [ ^ ] - 它在C#中,但它是非常明显的代码。



最后,为什么你的代码不起作用?如果它是相关的 - 它不是,因为它都需要扯掉并扔掉以解决其他两点 - 你真的认为我的旧密码总是与我的用户名相同吗?



Second, let's cover the way you store passwords: Never store passwords in clear text - it is a major security risk. There is some information on how to do it here: Password Storage: How to do it.[^] - it's in C#, but it's pretty obvious code.

Finally, why doesn't your code work? If it was relevant - which it isn't, because it all needs ripping out and throwing away to fix the other two points - do you really think my old password is always going to be the same as my username?

ElseIf txtcpoldpassword.Text <> username Then
    MessageBox.Show("Invalid Old Passsword")


这篇关于为什么我的更改密码文件给出错误我怎么能有这个错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发语言最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆