出现无效的登录消息........但是程序中没有错误. [英] invalid login message appears ........but no error in the programe.
问题描述
这是此程序的存储过程.
this is the store procedure for this prog.
CREATE Proc [dbo].[Log_prcLog]
(
@Username varchar (50),
@UPassword varchar (50),
@OutRes int OUTPUT
)
AS
set @OutRes = (select COUNT (*) from [dbo].Log_Users
where Username = @Username and [Password]= @Upassword)
if (@OutRes = 1 )
BEGIN
set @OutRes = 1 --Login is Correct
end
else
begin
set @OutRes = 0 -- Bad Login
end
VB.Net代码
VB.Net code
Imports System.Data.SqlClient
Public Class login11
Inherits System.Web.UI.Page
Public Function Validate_Login(ByVal Username As String, ByVal Password As String) As Integer
Dim con As SqlConnection = New SqlConnection("Data Source=andy\sqlexpress;Initial Catalog=tink;Integrated Security=True")
Dim cmdselect As SqlCommand = New SqlCommand()
cmdselect.CommandType = CommandType.StoredProcedure
cmdselect.CommandText = "[dbo].[prcLog]"
cmdselect.Parameters.Add("@Username", SqlDbType.VarChar, 50).Value = Username
cmdselect.Parameters.Add("@UPassword", SqlDbType.VarChar, 50).Value = Password
cmdselect.Parameters.Add("@OutRes", SqlDbType.Int, 4)
cmdselect.Parameters("@OutRes").Direction = ParameterDirection.Output
cmdselect.Connection = con
Dim Results As Integer = 0
Try
con.Open()
cmdselect.ExecuteNonQuery()
Results = CType(cmdselect.Parameters("@OutRes").Value, Integer)
Catch ex As SqlException
lblMessage.Text = ex.Message
Finally
cmdselect.Dispose()
If Not con Is Nothing Then
con.Close()
End If
End Try
Return Results
End Function
Protected Sub btnlogin_Click(sender As Object, e As EventArgs)
Dim Results As Integer = 0
If txtUsername.Text <> String.Empty AndAlso txtPassword.Text <> String.Empty Then
Results = Validate_Login(txtUsername.Text.Trim(), txtPassword.Text.Trim())
If Results = 1 Then
lblMessage.Text = "Login is Good, Send the User to another page or enable controls"
Else
lblMessage.Text = "Invalid Login"
lblMessage.ForeColor = System.Drawing.Color.Red
'Dont Give too much information this might tell a hacker what is wrong in the login
End If
Else
lblMessage.Text = "Please make sure that the username and the password is Correct"
End If
End Sub
End Class
推荐答案
您在数据库中是否多次获得了用户名/密码组合?
您应该执行EXISTS
检查,而不是COUNT
(这会使您的IF
成为多余的),并且您的用户名应该是唯一的索引
have you got the username/pwd combo more than once in your DB?
you should do anEXISTS
check, rather than aCOUNT
(which would make yourIF
redundant), and your username should be a unique index
那里很难知道从哪里开始...
祝贺您使用Paramaterised查询!您说对了-做得好.
但是...
多年以前,Parameters.Add已贬值,转而使用AddWithValue:
There are so many things there it''s difficult to know where to begin...
Congratulations on using Paramaterised queries! You got that right - well done.
But...
Parameters.Add was depreciated many years ago in favour of AddWithValue:
cmdselect.Parameters.AddWithValue("@Username", Username)
当您只对数字感兴趣时,为什么还要使用输出参数(甚至是存储过程)呢?
Why are you faffing about with an output parameter, (or even a stored procedure) when all you are interested in is a number?
SELECT COUNT(*) FROM Log_Users WHERE Username = @Username AND [Password]= @Upassword)
,然后调用ExecuteScalar,它将直接以整数形式返回匹配记录的数量.
最大的问题是:永远不要以明文形式存储密码-这是一个重大的安全风险.这里有一些有关如何执行此操作的信息:密码存储:如何进行 [ ^ ](在C#中,但是易于理解和翻译)
and call ExecuteScalar which will return you the number of matching records as an integer directly.
And the big one: Never store passwords in clear text - it is a major security risk. There is some information on how to do it here: Password Storage: How to do it.[^] (it''s in C#, but it''s easy to understand and translate)
请尝试以下操作
ALTER Proc [dbo].[Log_prcLog]
(
@Username varchar(50),
@UPassword varchar(50),
@OutRes int输出
)
AS
设置@OutRes =(从[dbo]中选择COUNT(*).Log_Users
其中,用户名= @用户名,[密码] = @Upassword)
如果(@OutRes> 0)
开始
设置@OutRes = 1-登录正确
结束
其他
开始
设置@OutRes = 0-错误的登录
结束
Hi Please try this
ALTER Proc [dbo].[Log_prcLog]
(
@Username varchar (50),
@UPassword varchar (50),
@OutRes int OUTPUT
)
AS
set @OutRes = (select COUNT (*) from [dbo].Log_Users
where Username = @Username and [Password]= @Upassword)
if (@OutRes >0 )
BEGIN
set @OutRes = 1 --Login is Correct
end
else
begin
set @OutRes = 0 -- Bad Login
end
这篇关于出现无效的登录消息........但是程序中没有错误.的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!