从字符串&“&"转换键入' Boolean'无效的 [英] Conversion from string "" to type 'Boolean' is not valid
问题描述
我在ASP.NET的登录表单中的标题中收到错误消息,有人知道如何解决吗?非常感谢您的帮助
I am getting the error message in the title on my login form in ASP.NET does anyone know what how i can sort it out? help is much appreciated
Protected Sub Button1_Click(ByVal sender As Object, ByVal e As EventArgs) Handles Button1.Click
Dim conn As New MySqlConnection
conn.ConnectionString = ("server=localhost;port=3307;user=user;password=password;database=DB;")
Try
Dim SQL As String = "select * from users3 where uname = '" & txtUName.Text & "' AND password = '" & txtPwd.Text & "'"
conn.Open()
Dim cmd As New MySqlCommand(SQL, conn)
Dim reader As MySqlDataReader = cmd.ExecuteReader
reader.Read()
Dim isValidLogin As Boolean
Boolean.TryParse(reader.GetValue(1), isValidLogin)
If isValidLogin Then
Session("UserName") = txtUName.Text
Response.Redirect("REGISTERPROP.aspx")
Else
Response.Write("Invalid Login")
End If
Catch ex As Exception
Response.Write("An Error Occurred: " & ex.Message.ToString())
End Try
End Sub
推荐答案
好吧,该消息几乎是不言自明的.您正在尝试将空(nil)字符串转换为布尔值. Boolean
的唯一有效字符串值为(不区分大小写) true
和 false
.但是您还有其他问题.
Well, the message is pretty much self-explanatory. You're trying convert an empty (nil) string into a boolean. The only valid string values for Boolean
are (case-insensitive) true
and false
. You have other problems though.
-
如果未找到用户/密码,则查询返回0行(空集),如果未找到用户/密码,则查询返回1行(大概).但是,您不是在检查
Read()
方法的返回值:如果读取了一行,它将返回true
,否则返回false
.您的查询仅在成功匹配时返回一行:您应先进行检查,然后再尝试从中检索数据.
Your query returns 0 rows (the empty set) if the user/password is not found, and (presumably) 1 row if the user/password is found. However, you are not checking the return values from the
Read()
method: it returnstrue
if a row was read andfalse otherwise
. You query only returns a row on a successful match: You should check that prior to trying to retrieve data from it.
此外,您的查询具有 SQL注入漏洞.考虑使用参数化查询或存储过程.如果有人在密码字段中键入(或简单地将其输入)回您的页面,您会怎么办?
Further, your query has a SQL Injection vulnerability. Consider using parameterized queries or stored procedures. What do you think might happen if somebody types (or simply posts) this back to your page for the password field:
; drop table users3 ;
似乎您在数据库中以明文形式存储密码.结合使用SQL注入漏洞,您很容易遭受系统和用户的威胁.考虑使用诸如SHA-256之类的安全哈希算法对密码加盐并对加盐的密码进行哈希处理.p>
It appears you're storing passwords in the clear in your database. In conjunction with your SQL Injection vulnerability, you leave yourself wide open to having your system and users compromised. Consider salting the passwords and hashing the salted password using a secure hashing algorithm like SHA-256.
将查询更改为
`select 'true' from user3 where ...`
并使用 DbReader.ExecuteScalar()
,它返回结果集第一行的第一列;如果结果集为空,则返回 null
.然后您的逻辑变得更简单,就像
And execute it using DbReader.ExecuteScalar()
, which returns the first column of the first row of the result set or null
if the result set is empty. Then your logic becomes simpler, something like
Dim isValidLogin = cmd.ExecuteScalar()
If isValidLogin IsNot Nothing And isValidLogin Then
Session("UserName") = txtUName.Text
Response.Redirect("REGISTERPROP.aspx")
Else
Response.Write("Invalid Login")
End If
这篇关于从字符串&“&"转换键入' Boolean'无效的的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!