需要显示两个登录错误消息 [英] Two Login Error Messages needs to display
问题描述
我有一个登录页面,我想告诉用户,如果用户输入的用户名不存在,用户名不存在,如果用户输入的用户名和密码无效,则错误消息将显示无效的用户名/密码。我已经完成了一些代码,但我坚持我的逻辑。有人可以帮助我并告诉我哪里出错了吗?
I have a login page that I want to tell the user if the user enters an invalid username the username does not exist and if the user enters a username and password that is invalid the error message will say invalid username/password. I have some of the code done but i am stuck on my logic. Can someone help me and tell me where I went wrong?
protected void Page_Load(object sender, EventArgs e)
{
if (IsPostBack)
{
SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["HotConnectionString"].ConnectionString);
con.Open();
string cmdStr = "Select count(*) from Tablepass where EmailAddress='" + TextBoxEA.Text + "'";
SqlCommand userExist = new SqlCommand(cmdStr, con);
SqlCommand cmd = new SqlCommand("select INST_ID, EmailAddress from Tablepass", con);
int temp = Convert.ToInt32(userExist.ExecuteScalar().ToString());
if (temp == 1)
{
lblMessage.Text = "Invalid UserName/Password!!!";
}
}
}
protected void Button1_Click(object sender, EventArgs e)
{
SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["HotConnectionString"].ConnectionString);
con.Open();
if (true)
{
SqlCommand level = new SqlCommand("select accessLevel, Password, INST_ID from Tablepass where EmailAddress = @EmailAddress AND Password = @Password", con);
level.Parameters.Add(new SqlParameter("EmailAddress", TextBoxEA.Text));
level.Parameters.Add(new SqlParameter("Password", TextBoxPW.Text));
SqlDataReader reader = level.ExecuteReader();
DataTable dt1 = new DataTable();
dt1.Load(reader);
foreach (DataRow dr1 in dt1.Rows)
{
int returnedLevel = Convert.ToInt32(dr1[0].ToString());
int inst_id = Convert.ToInt32(dr1[2].ToString());
Session["inst_id"] = inst_id;
if (returnedLevel == 1)
{
Response.Redirect("FormAPublic.aspx");
}
else if (returnedLevel == 2)
{
Response.Redirect("FormCPrivateNon.aspx");
}
else if (returnedLevel == 3)
{
Response.Redirect("FormDPrivateFor.aspx");
}
else if (returnedLevel == 7)
{
Response.Redirect("CEOPage.aspx");
}
else if (returnedLevel == 8)
{
Response.Redirect("DBPage.aspx");
}
else if (returnedLevel == 11)
{
Response.Redirect("FormAPublicL.aspx");
}
else if (returnedLevel == 21)
{
Response.Redirect("FormCPrivateNonL.aspx");
}
else if (returnedLevel == 31)
{
Response.Redirect("FormDPrivateForL.aspx");
}
else if (returnedLevel == 0)
{
Response.Redirect("Oops2.aspx");
}
}
}
}
protected void TextBoxEA_TextChanged(object sender, EventArgs e)
{
if (IsPostBack)
{
SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["HotConnectionString"].ConnectionString);
con.Open();
string cmdStr = "Select count(*) from Tablepass where EmailAddress='" + TextBoxEA.Text + "'";
SqlCommand userExist = new SqlCommand(cmdStr, con);
SqlCommand cmd = new SqlCommand("select INST_ID, EmailAddress from Tablepass", con);
int temp = Convert.ToInt32(userExist.ExecuteScalar().ToString());
if (temp == 1)
{
}
else
{
ScriptManager.RegisterStartupScript(this, this.GetType(), "script", "alert('User Name Does Not Exist!!! You Must Fill Out Registration First!!!');", true);
}
}
}
}
现在发生的事情是用户输入有效的用户名弹出无效的用户名/密码。当用户点击登录按钮时我需要显示它。
What happen now is that when a user enters a valid username the Invalid username/password pops up. I need it to display when the user clicks on the Login button.
推荐答案
请不要这样做。
相反,给出一条错误消息,其中包含两种可能性:无法登录:未找到用户名和密码或类似信息。如果您提供单独的错误消息,那么当他们找到有效的用户ID并且他们只需要专注于密码时,您就会告诉黑客系统 - 这对于自动强力攻击来说是一个重大优势,因为它将工作减少了一半。
其次,永远不要以明文形式存储密码 - 这是一个主要的安全风险。有关如何在此处执行此操作的信息:密码存储:如何做到这一点。 [ ^ ]
Please don't do that.
Instead, give a single error message which covers both eventualities: "Unable to log in: the username and password were not found" or similar. If you give separate error messages, you are telling hacking systems when they have found a valid userID and that they only need to concentrate on the password - this is a major plus for automated "brute force" attacks because it cuts the work in half.
Secondly, never store passwords in clear text - it is a major security risk. There is some information on how to do it here: Password Storage: How to do it.[^]
Hi Wiz,
正如您使用的那样
Hi Wiz,
As you have used
SqlCommand cmd = new SqlCommand("select INST_ID, EmailAddress from Tablepass", con);
如果它至少有一条记录,那么执行标量会返回值1.所以肯定会出现无效的用户名/密码错误。
你打算在page_load事件中实现什么逻辑?如果你告诉我们人们可以试试你。
希望这会对你有所帮助。
问候,
RK
If it has at least one record then execute scalar would return value 1. So definitely "Invalid Username/Password" error will throw.
What logic you intend to implement in page_load event? If you tell that we people could try for you.
Hope this helps you a bit.
Regards,
RK
我想我拥有它。
I think I have it.
protected void Page_Load(object sender, EventArgs e)
{
if (IsPostBack)
{
SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["HotConnectionString"].ConnectionString);
con.Open();
string cmdStr = "Select count(*) from TableSecurity where EmailAddress='" + TextBoxEA.Text + "'";
SqlCommand userExist = new SqlCommand(cmdStr, con);
SqlCommand cmd = new SqlCommand("select INST_ID, EmailAddress from Tablepass", con);
int temp = Convert.ToInt32(userExist.ExecuteScalar().ToString());
if (temp == 0)
{
ScriptManager.RegisterStartupScript(this, this.GetType(), "script", "alert('User Name Does Not Exist!!! You Must Fill Out Registration First!!!');", true);
}
else if (temp == 1)
{
ScriptManager.RegisterStartupScript(this, this.GetType(), "script", "alert('Invalid UserName/Password!!!');", true);
}
}
}
这篇关于需要显示两个登录错误消息的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!