为什么我的更改密码文件给出错误我怎么能有这个错误 [英] Why My Change Password File Gives Error How I Can Some This Error
问题描述
这是我的登录窗体,我的登录表单工作正常,但在更改密码文件中收到错误请告诉我错误
login.vb文件
this is my login windows form my login form works perfectly but in change password file m getting error please tell me error
login.vb file
Imports System.Windows.Forms
Imports System.Data.SqlClient
Imports System.Data
Public Class frmlogin
Dim con As New SqlConnection("Data Source=Tarun-PC;Initial Catalog=bdsdb;Integrated Security=True")
Dim da As SqlDataAdapter
Dim ds As DataSet
Private Sub frmlogin_Load(sender As Object, e As EventArgs) Handles MyBase.Load
txtusername.Focus()
End Sub
Private Sub Button1_Click(sender As Object, e As EventArgs) Handles btnclear.Click
txtusername.Clear()
txtPassword.Clear()
End Sub
Private Sub Button2_Click(sender As Object, e As EventArgs) Handles btnSubmit.Click
Try
da = New SqlDataAdapter("select Username ,Password from tblloggin where Username='" & txtusername.Text & "' and Password='" & txtPassword.Text & "'", con)
ds = New DataSet()
' if da return more then 0 row there is a user then he can login
' otherwise he cant becoz no user exist in databases
da.Fill(ds, "tblloggin")
'da.Fill(ds)
If (ds.Tables("tblloggin").Rows.Count > 0) Then
frmmain.Show()
Me.Close()
frmwelcome.Close()
' Me.Hide()
Else
MessageBox.Show("Incorrect Username and Password", "tblloggin")
End If
Catch ex As Exception
MessageBox.Show("Invalid Operation can not be process")
End Try
End Sub
Private Sub btnCancel_Click(sender As Object, e As EventArgs) Handles btnCancel.Click
Me.Close()
End Sub
End Class
changepasseword.vb file
changepasseword.vb file
Imports System.Data
Imports System.Data.SqlClient
Public Class frmchangeprofile
Dim con As SqlConnection
Dim cmd As New SqlCommand
Dim username As String
Dim password As String
Private Sub frmchangeprofile_Load(sender As Object, e As EventArgs) Handles MyBase.Load
con = New SqlConnection("Data Source=Tarun-PC;Initial Catalog=bdsdb;Integrated Security=True")
con.Open()
username = frmlogin.txtusername.Text
password = frmlogin.txtPassword.Text
txtcpusername.Enabled = False
txtcpusername.Text = username
End Sub
Private Sub btnChangeSubmit_Click(sender As Object, e As EventArgs) Handles btnChangeSubmit.Click
Try
If txtcpoldpassword.Text = "" And txtcpnewpassword.Text = "" And txtcpconfirmpassword.Text = "" Then
MessageBox.Show("Any of the fields can not be left blank")
ElseIf txtcpoldpassword.Text <> username Then
MessageBox.Show("Invalid Old Passsword")
ElseIf txtcpnewpassword.Text <> txtcpconfirmpassword.Text Then
MessageBox.Show("New Password and Confirm Password does not match")
Else
cmd = New SqlCommand()
cmd.CommandText = "update tbllogin set Password ='" & txtcpnewpassword.Text & "' where Username= '" & username & "'"
cmd.Connection = con
cmd.ExecuteNonQuery()
MsgBox("Password Change successfully")
End If
Catch ex As Exception
MessageBox.Show("Performed Action Cannot be processed")
End Try
End Sub
Private Sub btnClear_Click(sender As Object, e As EventArgs) Handles btnClear.Click
txtcpoldpassword.Clear()
txtcpnewpassword.Clear()
txtcpconfirmpassword.Clear()
End Sub
Private Sub btnClose_Click(sender As Object, e As EventArgs) Handles btnClose.Click
Me.Close()
End Sub
End Class
推荐答案
这里有很多很多东西,我几乎不知道从哪里开始...
让我们先从reall开始是危险的,我们应该吗?
不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度,这可能会破坏您的整个数据库。请改用参数化查询。特别是您的登录代码不仅可以让我破坏您的数据库,而且允许我在没有密码的情况下以任何人身份登录,只需在我输入时在用户名的末尾添加四个字符:
There are so many, many things here that I hardly know where to start...
Let's start with the really dangerous one, shall we?
Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead. Particularly with your login code which not only lets me destroy your database, but allows me to log in as anyone at all without a password, simply by adding four characters to the end of the username when I enter it:
';--
其次,让我们介绍一下存储密码的方式:永远不要存储密码明文 - 这是一个重大的安全风险。有关如何在此处执行此操作的信息:密码存储:如何做到这一点。 [ ^ ] - 它在C#中,但它是非常明显的代码。
最后,为什么你的代码不起作用?如果它是相关的 - 它不是,因为它都需要扯掉并扔掉以解决其他两点 - 你真的认为我的旧密码总是与我的用户名相同吗?
Second, let's cover the way you store passwords: Never store passwords in clear text - it is a major security risk. There is some information on how to do it here: Password Storage: How to do it.[^] - it's in C#, but it's pretty obvious code.
Finally, why doesn't your code work? If it was relevant - which it isn't, because it all needs ripping out and throwing away to fix the other two points - do you really think my old password is always going to be the same as my username?
ElseIf txtcpoldpassword.Text <> username Then
MessageBox.Show("Invalid Old Passsword")
这篇关于为什么我的更改密码文件给出错误我怎么能有这个错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!