注册时用作用户名的电子邮件地址 [英] Email address used as username in registration
本文介绍了注册时用作用户名的电子邮件地址的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我有一个注册表格,我想更强,因为用户名将是他们的电子邮件地址。我怎么能这样做?
protected void Page_Load( object sender,EventArgs e)
{
if (IsPostBack)
{
SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings [ HotConnectionString]。ConnectionString);
con.Open();
string cmdStr = 选择计数(* )来自Tablepass,其中EmailAddress =' + TextBoxEA.Text + ';
SqlCommand userExist = new SqlCommand(cmdStr,con);
SqlCommand cmd = new SqlCommand( select来自Tablepass的INST_ID,EmailAddress,con);
userExist.Parameters.AddWithValue( @ EmailAddress,TextBoxEA.Text);
userExist.Parameters.AddWithValue( @ Password,TextBoxPW.Text);
int temp = Convert.ToInt32(userExist.ExecuteScalar()。ToString());
if (temp == 1 )
{
ScriptManager。 RegisterStartupScript( this , this .GetType(), script, alert('用户名已存在!!!');, true );
TextBoxEA.Focus();
TextBoxEA.Text = string .Empty;
con.Close();
}
else
{
TextBoxPW.Focus();
}
}
}
受保护 void Submit_Click( object sender,EventArgs e)
{
SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings [ HotConnectionString]。ConnectionString);
con.Open();
string cmdStr = 从Table1中选择INST_ID,accessLevel,EmailAddress,其中EmailAddress =' + TextBoxEA.Text + '< /跨度>;
string cmdStr2 = 选择INST_ID,accessLevel ,表2中的EmailAddress,其中EmailAddress =' + TextBoxEA.Text + ';
string insCmd = 插入Tablepass( EmailAddress,Password,INST_ID,accessLevel)值(@ EmailAddress,@ Password,@ INST_ID,@ accessLevel);
string insCmd2 = 插入Tablepass( EmailAddress,Password,INST_ID,accessLevel)值(@ EmailAddress,@ Password,@ INST_ID,@ accessLevel);
SqlCommand insertUser = new SqlCommand(insCmd,con);
SqlCommand insertUser2 = new SqlCommand(insCmd2,con);
insertUser.Parameters.AddWithValue( @ EmailAddress,TextBoxEA.Text );
insertUser.Parameters.AddWithValue( @ Password,TextBoxPW.Text);
insertUser.Parameters.AddWithValue( @ INST_ID,TextBoxINST_ID.Text);
insertUser.Parameters.AddWithValue( @ accessLevel,TextBoxaccessLevel.Text);
try
{
insertUser.ExecuteNonQuery();
con.Close();
Response.Redirect( Login.aspx);
}
catch (例外)
{
ScriptManager.RegisterStartupScript( this , this .GetType(), script, alert('系统无法识别用户名!!!') ;, true );
TextBoxEA.Text = string .Empty;
}
}
受保护 void TextBoxEA_TextChanged( object sender,EventArgs e)
{
using (SqlConnection) con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings [ HotConnectionString]。ConnectionString))
{
con.Open();
SqlCommand scmd = new SqlCommand( 从TableCEO中选择INST_ID,EmailAddress,accessLevel,其中EmailAddress = @TextBoxEA,con);
SqlCommand scmd2 = new SqlCommand( 选择来自TableIALO的INST_ID,EmailAddress,accessLevel,其中EmailAddress = @TextBoxEA,con);
scmd.Parameters.Add( new SqlParameter( @ TextBoxEA,TextBoxEA.Text));
scmd2.Parameters.Add( new SqlParameter( @TextBoxEA,TextBoxEA.Text));
TextBoxINST_ID.Text = string .Empty;
TextBoxaccessLevel.Text = string .Empty;
使用(SqlDataReader dr = scmd.ExecuteReader())
{
while (dr.Read())
{
TextBoxINST_ID.Text = dr [ INST_ID跨度>]的ToString();
TextBoxaccessLevel.Text = dr [ accessLevel]。ToString();
}
}
使用(SqlDataReader dr2 = scmd2.ExecuteReader())
{
while (dr2.Read())
{
TextBoxINST_ID.Text = dr2 [ INST_ID]。ToString();
TextBoxaccessLevel.Text = dr2 [ accessLevel]。ToString();
}
}
解决方案
这至少是关于同一主题/问题的第三篇文章。
你已经得到了一些建议,但我可以看到你似乎没有那么多关注他们。例如,您的代码仍然打开SQL注入攻击。
我建议您:
- 不构造您的SQL查询通过连接从用户输入获得的字符串 - 更好地使用参数化查询
如何创建参数化SQL查询?我为什么要这样做? [ ^ ]
- 不要在数据库中存储密码;而是存储哈希密码
PWDENCRYPT(Transact-SQL) [ ^ ]
PWDCOMPARE(Transact-SQL) [ ^ ]
- 你不应该在每次调用时构造和使用SQL查询TextChanged事件处理程序方法。这只应该在用户登录提交按钮时发生。
- 恕我直言,你应该完全重新考虑你处理登录过程的方式;我的意思是:
点击提交按钮 - >测试登录/密码的有效性。
如果用户不存在或密码不正确 - >>重定向到错误页面(或在实际页面上显示错误消息)。
如果用户存在且密码正确 - >>登录。
这不是你编码的所有逻辑。
- 为用户/哈希密码设置一个表。
确定。这是我的新代码,它确实有效。
protected void Page_Load( object sender,EventArgs e)
{
if (IsPostBack)
{
SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings [ HotConnectionString]。ConnectionString);
con.Open();
string cmdStr = 选择计数(* )来自Tablepass,其中EmailAddress =' + TextBoxEA.Text + ';
string cmdStr2 = 选择计数(* )来自Table1,其中EmailAddress =' + TextBoxEA.Text + ';
string cmdStr3 = 选择计数(* )来自Table2,其中EmailAddress =' + TextBoxEA.Text + ';
SqlCommand userExist = new SqlCommand(cmdStr,con);
SqlCommand userExist2 = new SqlCommand(cmdStr2,con);
SqlCommand userExist3 = new SqlCommand(cmdStr3,con);
SqlCommand cmd = new SqlCommand( select来自Tablepass的INST_ID,EmailAddress,con);
SqlCommand cmd2 = new SqlCommand( select INST_ID,来自Table1的电子邮件地址,con);
SqlCommand cmd3 = new SqlCommand( select INST_ID,来自Table2的电子邮件地址,con);
userExist.Parameters.AddWithValue( @ EmailAddress,TextBoxEA.Text);
userExist.Parameters.AddWithValue( @ Password,TextBoxPW.Text);
userExist2.Parameters.AddWithValue( @ EmailAddress,TextBoxEA.Text);
userExist2.Parameters.AddWithValue( @ Password,TextBoxPW.Text);
userExist3.Parameters.AddWithValue( @ EmailAddress,TextBoxEA.Text);
userExist3.Parameters.AddWithValue( @ Password,TextBoxPW.Text);
int temp = Convert.ToInt32(userExist.ExecuteScalar()。ToString());
int temp2 = Convert.ToInt32(userExist2.ExecuteScalar()。ToString());
int temp3 = Convert.ToInt32(userExist3.ExecuteScalar()。ToString());
if (temp == 1 )
{
ScriptManager.RegisterStartupScript( this , this .GetType(), script, alert ('用户名已存在!!!');, true );
TextBoxEA.Focus();
TextBoxEA.Text = string .Empty;
}
其他 如果(temp2 == 1 )
{
}
else if (temp3 == 1 )
{
}
else if (temp2 == 0 )
{
ScriptManager.RegisterStartupScript( this , this .GetType(), script, alert('系统无法识别用户名!!!');, true );
TextBoxEA.Focus();
TextBoxEA.Text = string .Empty;
}
else if (temp3 == 0 )
{
ScriptManager.RegisterStartupScript( this , this .GetType(), script, alert('系统无法识别用户名!!!');,真跨度>);
TextBoxEA.Focus();
TextBoxEA.Text = string .Empty;
}
con.Close();
}
}
受保护 void Submit_Click( object sender,EventArgs e)
{
SqlConnection con = new SqlConnection(System .Configuration.ConfigurationManager.ConnectionStrings [ HotConnectionString]。ConnectionString);
con.Open();
string cmdStr = 从Table1中选择INST_ID,accessLevel,EmailAddress,其中EmailAddress =' + TextBoxEA.Text + '< /跨度>;
string cmdStr2 = 选择INST_ID,accessLevel ,表2中的EmailAddress,其中EmailAddress =' + TextBoxEA.Text + ';
string insCmd = 插入Tablepass( EmailAddress,Password,INST_ID,accessLevel)值(@ EmailAddress,@ Password,@ INST_ID,@ accessLevel);
string insCmd2 = 插入Tablepass( EmailAddress,Password,INST_ID,accessLevel)值(@ EmailAddress,@ Password,@ INST_ID,@ accessLevel);
SqlCommand insertUser = new SqlCommand(insCmd,con);
SqlCommand insertUser2 = new SqlCommand(insCmd2,con);
insertUser.Parameters.AddWithValue( @ EmailAddress,TextBoxEA.Text );
insertUser.Parameters.AddWithValue( @ Password,TextBoxPW.Text);
insertUser.Parameters.AddWithValue( @ INST_ID,TextBoxINST_ID.Text);
insertUser.Parameters.AddWithValue( @ accessLevel,TextBoxaccessLevel.Text);
insertUser2.Parameters.AddWithValue( @ EmailAddress,TextBoxEA.Text );
insertUser2.Parameters.AddWithValue( @ Password,TextBoxPW.Text);
insertUser2.Parameters.AddWithValue( @ INST_ID,TextBoxINST_ID.Text);
insertUser2.Parameters.AddWithValue( @ accessLevel,TextBoxaccessLevel.Text);
try
{
insertUser.ExecuteScalar();
con.Close();
Response.Redirect( Login.aspx);
}
catch (例外)
{
}
}
protected void TextBoxEA_TextChanged( object sender,EventArgs e)
{
using (SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings [ HotConnectionString]。ConnectionString))
{
con.Open();
SqlCommand scmd = new SqlCommand( 从Table1中选择INST_ID,EmailAddress,accessLevel,其中EmailAddress = @TextBoxEA,con);
SqlCommand scmd2 = new SqlCommand( 选择来自Table2的INST_ID,EmailAddress,accessLevel,其中EmailAddress = @TextBoxEA,con);
scmd.Parameters.Add( new SqlParameter( @ TextBoxEA,TextBoxEA.Text));
scmd2.Parameters.Add( new SqlParameter( @TextBoxEA,TextBoxEA.Text));
TextBoxINST_ID.Text = string .Empty;
TextBoxaccessLevel.Text = string .Empty;
使用(SqlDataReader dr = scmd.ExecuteReader())
{
while (dr.Read())
{
TextBoxINST_ID.Text = dr [ INST_ID跨度>]的ToString();
TextBoxaccessLevel.Text = dr [ accessLevel]。ToString();
}
}
使用(SqlDataReader dr2 = scmd2.ExecuteReader())
{
while (dr2.Read())
{
TextBoxINST_ID.Text = dr2 [ INST_ID]。ToString();
TextBoxaccessLevel.Text = dr2 [ accessLevel]。ToString();
}
}
I have a registration form that i would like to make stronger because of the username will be their email address. How can I do this?
protected void Page_Load(object sender, EventArgs e)
{
if (IsPostBack)
{
SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["HotConnectionString"].ConnectionString);
con.Open();
string cmdStr = "Select count(*) from Tablepass where EmailAddress='" + TextBoxEA.Text + "'";
SqlCommand userExist = new SqlCommand(cmdStr, con);
SqlCommand cmd = new SqlCommand("select INST_ID, EmailAddress from Tablepass", con);
userExist.Parameters.AddWithValue("@EmailAddress", TextBoxEA.Text);
userExist.Parameters.AddWithValue("@Password", TextBoxPW.Text);
int temp = Convert.ToInt32(userExist.ExecuteScalar().ToString());
if (temp == 1)
{
ScriptManager.RegisterStartupScript(this, this.GetType(), "script", "alert('User Name Already Exist!!!');", true);
TextBoxEA.Focus();
TextBoxEA.Text = string.Empty;
con.Close();
}
else
{
TextBoxPW.Focus();
}
}
}
protected void Submit_Click(object sender, EventArgs e)
{
SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["HotConnectionString"].ConnectionString);
con.Open();
string cmdStr = "Select INST_ID, accessLevel, EmailAddress from Table1 where EmailAddress='" + TextBoxEA.Text + "'";
string cmdStr2 = "Select INST_ID, accessLevel, EmailAddress from Table2 where EmailAddress='" + TextBoxEA.Text + "'";
string insCmd = "Insert into Tablepass (EmailAddress, Password, INST_ID, accessLevel) values (@EmailAddress, @Password, @INST_ID, @accessLevel)";
string insCmd2 = "Insert into Tablepass (EmailAddress, Password, INST_ID, accessLevel) values (@EmailAddress, @Password, @INST_ID, @accessLevel)";
SqlCommand insertUser = new SqlCommand(insCmd, con);
SqlCommand insertUser2 = new SqlCommand(insCmd2, con);
insertUser.Parameters.AddWithValue("@EmailAddress", TextBoxEA.Text);
insertUser.Parameters.AddWithValue("@Password", TextBoxPW.Text);
insertUser.Parameters.AddWithValue("@INST_ID", TextBoxINST_ID.Text);
insertUser.Parameters.AddWithValue("@accessLevel", TextBoxaccessLevel.Text);
try
{
insertUser.ExecuteNonQuery();
con.Close();
Response.Redirect("Login.aspx");
}
catch (Exception er)
{
ScriptManager.RegisterStartupScript(this, this.GetType(), "script", "alert('User Name Is Not Recognized by The System!!!');", true);
TextBoxEA.Text = string.Empty;
}
}
protected void TextBoxEA_TextChanged(object sender, EventArgs e)
{
using (SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["HotConnectionString"].ConnectionString))
{
con.Open();
SqlCommand scmd = new SqlCommand("Select INST_ID, EmailAddress, accessLevel from TableCEO where EmailAddress = @TextBoxEA", con);
SqlCommand scmd2 = new SqlCommand("Select INST_ID, EmailAddress, accessLevel from TableIALO where EmailAddress = @TextBoxEA", con);
scmd.Parameters.Add(new SqlParameter("@TextBoxEA", TextBoxEA.Text));
scmd2.Parameters.Add(new SqlParameter("@TextBoxEA", TextBoxEA.Text));
TextBoxINST_ID.Text = string.Empty;
TextBoxaccessLevel.Text = string.Empty;
using (SqlDataReader dr = scmd.ExecuteReader())
{
while (dr.Read())
{
TextBoxINST_ID.Text = dr["INST_ID"].ToString();
TextBoxaccessLevel.Text = dr["accessLevel"].ToString();
}
}
using (SqlDataReader dr2 = scmd2.ExecuteReader())
{
while (dr2.Read())
{
TextBoxINST_ID.Text = dr2["INST_ID"].ToString();
TextBoxaccessLevel.Text = dr2["accessLevel"].ToString();
}
}
解决方案
This is at least the third post from you on the same subject/problem.
You have been given some advices, but as I can see you do not seem to have followed them so much. For example your code is still opened to SQL injection attacks.
What I recommand to you is:
- do not construct your SQL queries by concatenating strings obtained from user inputs - better use parameterized queries
How do I create a parameterized SQL query? Why Should I?[^]
- do not store passwords in the database ; instead store hashed-passwords
PWDENCRYPT (Transact-SQL)[^]
PWDCOMPARE (Transact-SQL)[^]
- you should not construct and use a SQL query in each call to a TextChanged eventhandler method. This only should happen when the user cliks on the submit button.
- IMHO, you should completely rethink the way you handle the login process; I mean:
On click of submit button -> test for the validity of login/password.
If user does not exist OR if password is incorrect -> redirect to an error page (or display an error message on the actual page).
If user exists and password is correct -> login.
This is not at all the logic you coded.
- Have a single table for users/hashed passwords.
Ok. Here is my new code and it does work.
protected void Page_Load(object sender, EventArgs e) { if (IsPostBack) { SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["HotConnectionString"].ConnectionString); con.Open(); string cmdStr = "Select count(*) from Tablepass where EmailAddress='" + TextBoxEA.Text + "'"; string cmdStr2 = "Select count(*) from Table1 where EmailAddress='" + TextBoxEA.Text + "'"; string cmdStr3 = "Select count(*) from Table2 where EmailAddress='" + TextBoxEA.Text + "'"; SqlCommand userExist = new SqlCommand(cmdStr, con); SqlCommand userExist2 = new SqlCommand(cmdStr2, con); SqlCommand userExist3 = new SqlCommand(cmdStr3, con); SqlCommand cmd = new SqlCommand("select INST_ID, EmailAddress from Tablepass", con); SqlCommand cmd2 = new SqlCommand("select INST_ID, EmailAddress from Table1", con); SqlCommand cmd3 = new SqlCommand("select INST_ID, EmailAddress from Table2", con); userExist.Parameters.AddWithValue("@EmailAddress", TextBoxEA.Text); userExist.Parameters.AddWithValue("@Password", TextBoxPW.Text); userExist2.Parameters.AddWithValue("@EmailAddress", TextBoxEA.Text); userExist2.Parameters.AddWithValue("@Password", TextBoxPW.Text); userExist3.Parameters.AddWithValue("@EmailAddress", TextBoxEA.Text); userExist3.Parameters.AddWithValue("@Password", TextBoxPW.Text); int temp = Convert.ToInt32(userExist.ExecuteScalar().ToString()); int temp2 = Convert.ToInt32(userExist2.ExecuteScalar().ToString()); int temp3 = Convert.ToInt32(userExist3.ExecuteScalar().ToString()); if (temp == 1) { ScriptManager.RegisterStartupScript(this, this.GetType(), "script", "alert('User Name Already Exist!!!');", true); TextBoxEA.Focus(); TextBoxEA.Text = string.Empty; } else if (temp2 == 1) { } else if (temp3 == 1) { } else if (temp2 == 0) { ScriptManager.RegisterStartupScript(this, this.GetType(), "script", "alert('User Name Is Not Recognized by The System!!!');", true); TextBoxEA.Focus(); TextBoxEA.Text = string.Empty; } else if (temp3 == 0) { ScriptManager.RegisterStartupScript(this, this.GetType(), "script", "alert('User Name Is Not Recognized by The System!!!');", true); TextBoxEA.Focus(); TextBoxEA.Text = string.Empty; } con.Close(); } } protected void Submit_Click(object sender, EventArgs e) { SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["HotConnectionString"].ConnectionString); con.Open(); string cmdStr = "Select INST_ID, accessLevel, EmailAddress from Table1 where EmailAddress='" + TextBoxEA.Text + "'"; string cmdStr2 = "Select INST_ID, accessLevel, EmailAddress from Table2 where EmailAddress='" + TextBoxEA.Text + "'"; string insCmd = "Insert into Tablepass (EmailAddress, Password, INST_ID, accessLevel) values (@EmailAddress, @Password, @INST_ID, @accessLevel)"; string insCmd2 = "Insert into Tablepass (EmailAddress, Password, INST_ID, accessLevel) values (@EmailAddress, @Password, @INST_ID, @accessLevel)"; SqlCommand insertUser = new SqlCommand(insCmd, con); SqlCommand insertUser2 = new SqlCommand(insCmd2, con); insertUser.Parameters.AddWithValue("@EmailAddress", TextBoxEA.Text); insertUser.Parameters.AddWithValue("@Password", TextBoxPW.Text); insertUser.Parameters.AddWithValue("@INST_ID", TextBoxINST_ID.Text); insertUser.Parameters.AddWithValue("@accessLevel", TextBoxaccessLevel.Text); insertUser2.Parameters.AddWithValue("@EmailAddress", TextBoxEA.Text); insertUser2.Parameters.AddWithValue("@Password", TextBoxPW.Text); insertUser2.Parameters.AddWithValue("@INST_ID", TextBoxINST_ID.Text); insertUser2.Parameters.AddWithValue("@accessLevel", TextBoxaccessLevel.Text); try { insertUser.ExecuteScalar(); con.Close(); Response.Redirect("Login.aspx"); } catch (Exception er) { } } protected void TextBoxEA_TextChanged(object sender, EventArgs e) { using (SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["HotConnectionString"].ConnectionString)) { con.Open(); SqlCommand scmd = new SqlCommand("Select INST_ID, EmailAddress, accessLevel from Table1 where EmailAddress = @TextBoxEA", con); SqlCommand scmd2 = new SqlCommand("Select INST_ID, EmailAddress, accessLevel from Table2 where EmailAddress = @TextBoxEA", con); scmd.Parameters.Add(new SqlParameter("@TextBoxEA", TextBoxEA.Text)); scmd2.Parameters.Add(new SqlParameter("@TextBoxEA", TextBoxEA.Text)); TextBoxINST_ID.Text = string.Empty; TextBoxaccessLevel.Text = string.Empty; using (SqlDataReader dr = scmd.ExecuteReader()) { while (dr.Read()) { TextBoxINST_ID.Text = dr["INST_ID"].ToString(); TextBoxaccessLevel.Text = dr["accessLevel"].ToString(); } } using (SqlDataReader dr2 = scmd2.ExecuteReader()) { while (dr2.Read()) { TextBoxINST_ID.Text = dr2["INST_ID"].ToString(); TextBoxaccessLevel.Text = dr2["accessLevel"].ToString(); } }
这篇关于注册时用作用户名的电子邮件地址的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文