出现无效的登录消息........但是程序中没有错误. [英] invalid login message appears ........but no error in the programe.

问题描述

这是此程序的存储过程.

this is the store procedure for this prog.

CREATE Proc [dbo].[Log_prcLog]
	(
	@Username  varchar (50),
	@UPassword varchar (50),
	@OutRes int OUTPUT
	)

AS
set @OutRes = (select COUNT (*) from [dbo].Log_Users
where Username = @Username and [Password]= @Upassword)
if (@OutRes = 1 )

BEGIN
	
	set @OutRes = 1 --Login is Correct
	end 
	else
	begin
	set @OutRes = 0 -- Bad Login
    
	
end

VB.Net代码

VB.Net code

Imports System.Data.SqlClient
Public Class login11
    Inherits System.Web.UI.Page
    Public Function Validate_Login(ByVal Username As String, ByVal Password As String) As Integer

        Dim con As SqlConnection = New SqlConnection("Data Source=andy\sqlexpress;Initial Catalog=tink;Integrated Security=True")
        Dim cmdselect As SqlCommand = New SqlCommand()
        cmdselect.CommandType = CommandType.StoredProcedure
        cmdselect.CommandText = "[dbo].[prcLog]"
        cmdselect.Parameters.Add("@Username", SqlDbType.VarChar, 50).Value = Username
        cmdselect.Parameters.Add("@UPassword", SqlDbType.VarChar, 50).Value = Password
        cmdselect.Parameters.Add("@OutRes", SqlDbType.Int, 4)
        cmdselect.Parameters("@OutRes").Direction = ParameterDirection.Output
        cmdselect.Connection = con
        Dim Results As Integer = 0
        Try
            con.Open()
            cmdselect.ExecuteNonQuery()
            Results = CType(cmdselect.Parameters("@OutRes").Value, Integer)
        Catch ex As SqlException
            lblMessage.Text = ex.Message
        Finally
            cmdselect.Dispose()
            If Not con Is Nothing Then
                con.Close()
            End If
        End Try
        Return Results
    End Function
   
    Protected Sub btnlogin_Click(sender As Object, e As EventArgs)
        Dim Results As Integer = 0
        If txtUsername.Text <> String.Empty AndAlso txtPassword.Text <> String.Empty Then
            Results = Validate_Login(txtUsername.Text.Trim(), txtPassword.Text.Trim())
            If Results = 1 Then
                lblMessage.Text = "Login is Good, Send the User to another page or enable controls"
            Else
                lblMessage.Text = "Invalid Login"
                lblMessage.ForeColor = System.Drawing.Color.Red
                'Dont Give too much information this might tell a hacker what is wrong in the login
            End If
        Else
            lblMessage.Text = "Please make sure that the username and the password is Correct"
        End If

    End Sub
End Class

推荐答案

您在数据库中是否多次获得了用户名/密码组合?

您应该执行EXISTS检查，而不是COUNT(这会使您的IF成为多余的)，并且您的用户名应该是唯一的索引

have you got the username/pwd combo more than once in your DB?

you should do an EXISTS check, rather than a COUNT (which would make your IF redundant), and your username should be a unique index

那里很难知道从哪里开始...

祝贺您使用Paramaterised查询！您说对了-做得好.

但是...
多年以前，Parameters.Add已贬值，转而使用AddWithValue:

There are so many things there it''s difficult to know where to begin...

Congratulations on using Paramaterised queries! You got that right - well done.

But...
Parameters.Add was depreciated many years ago in favour of AddWithValue:

cmdselect.Parameters.AddWithValue("@Username", Username)

当您只对数字感兴趣时，为什么还要使用输出参数(甚至是存储过程)呢?

Why are you faffing about with an output parameter, (or even a stored procedure) when all you are interested in is a number?

SELECT COUNT(*) FROM Log_Users WHERE Username = @Username AND [Password]= @Upassword)

，然后调用ExecuteScalar，它将直接以整数形式返回匹配记录的数量.

最大的问题是:永远不要以明文形式存储密码-这是一个重大的安全风险.这里有一些有关如何执行此操作的信息:密码存储:如何进行 [ ^ ](在C#中，但是易于理解和翻译)

and call ExecuteScalar which will return you the number of matching records as an integer directly.

And the big one: Never store passwords in clear text - it is a major security risk. There is some information on how to do it here: Password Storage: How to do it.[^] (it''s in C#, but it''s easy to understand and translate)

请尝试以下操作


ALTER Proc [dbo].[Log_prcLog]
(
@Username varchar(50)，
@UPassword varchar(50)，
@OutRes int输出
)

AS
设置@OutRes =(从[dbo]中选择COUNT(*).Log_Users
其中，用户名= @用户名，[密码] = @Upassword)
如果(@OutRes> 0)

开始

设置@OutRes = 1-登录正确
结束
其他
开始
设置@OutRes = 0-错误的登录


结束

Hi Please try this


ALTER Proc [dbo].[Log_prcLog]
(
@Username varchar (50),
@UPassword varchar (50),
@OutRes int OUTPUT
)

AS
set @OutRes = (select COUNT (*) from [dbo].Log_Users
where Username = @Username and [Password]= @Upassword)
if (@OutRes >0 )

BEGIN

set @OutRes = 1 --Login is Correct
end
else
begin
set @OutRes = 0 -- Bad Login


end

这篇关于出现无效的登录消息........但是程序中没有错误.的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！