创建登录表单,登录时出现错误 [英] create login form and i have error while loging
问题描述
string connection = @"Provider=Microsoft.ACE.OLEDB.12.0; Data Source=|DataDirectory|\info.accdb;Persist Security Info=True;Jet OLEDB:Database Password=***********";
OleDbConnection connect = new OleDbConnection(connection);
try
{
connect.Open();
}
catch (Exception ex)
{
MessageBox.Show(ex.ToString(), "Error");
}
string query = "SELECT FROM * [Users] WHERE Username=''" + userTxt.Text + "'' AND Password=''"+ PassTxt.Text + "''";
OleDbCommand command = new OleDbCommand(query, connect);
OleDbDataReader reader = command.ExecuteReader();
while (reader.Read())
{
MessageBox.Show("Successfull", "Login Successfull");
}
MessageBox.Show("Wrong Login", "Wrong Login");
添加了代码块-OriginalGriff [/edit]
[edit]Code block added - OriginalGriff[/edit]
推荐答案
好,这里有很多错误,让我看看我是否发现了你所做的一个:
1)如果您的连接无法打开,请报告并继续使用它,这将导致未处理的异常.移动您的代码,使其全部位于try
块内:
Ok, there are quite a few things wrong here, let me see if I spotted the one you did:
1) If your connection fails to open, you report it and continue to use it, which will cause an unhandled exception. Move your code so that it is all within thetry
block:
string connection = @"Provider=Microsoft.ACE.OLEDB.12.0; Data Source=|DataDirectory|\info.accdb;Persist Security Info=True;Jet OLEDB:Database Password=***********";
OleDbConnection connect = new OleDbConnection(connection);
try
{
connect.Open();
string query = "SELECT FROM * [Users] WHERE Username=''" + userTxt.Text + "'' AND Password=''"+ PassTxt.Text + "''";
...
}
catch (Exception ex)
{
MessageBox.Show(ex.ToString(), "Error");
}
2)您正在危险地进行选择:您很容易遭受意外或故意的SQL Injection攻击.为了证明这一点,请键入"hello"; DROP TABLE Users;".作为您的用户名...或者更好的是,不要尝试使用它,因为整个表将从数据库中消失...
请改用参数化查询:
2) You are doing the select dangerously: you can easily suffer an accidental or deliberate SQL Injection attack. To prove it, type "hello'';DROP TABLE Users;" as your user name... Or better still, don''t try it as your whole table will disappear from your database...
Use parametrized queries instead:
string query = "SELECT FROM * [Users] WHERE Username=@UN AND Password=@PW";
OleDbCommand command = new OleDbCommand(query, connect);
command.Parameters.Add("@UN", userTxt.Text);
command.Parameters.Add("@PW", PassTxt.Text);
3)不要将密码以文本形式存储在数据库中:使用MD5或(最好是)SHA来散列密码,然后替代密码.这样,没人能告诉您您的用户密码是什么...
4)无论是否找到好"用户,您都会收到一条消息,提示登录错误".您需要用if
替换while
并提供else
:
3) Don''t store passwords in your database in text: Hash them using MD5 or (preferably) SHA and stroe that instead. That way nobody can tell what your user password is...
4) Whether it finds a "good" user or not, you will get a message saying "Wrong login". You need to replace the while
with an if
and provide an else
:
if (reader.Read())
{
MessageBox.Show("Successfull", "Login Successfull");
}
else
{
MessageBox.Show("Wrong Login", "Wrong Login");
}
我发现你发现的问题了吗?
[edit]其中一个代码块标记移动了...很奇怪-OriginalGriff [/edit]
Did I get the problem you spotted?
[edit]One of the code block markers moved...strange - OriginalGriff[/edit]
这篇关于创建登录表单,登录时出现错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!