从字符串&“&"转换键入' Boolean'无效的 [英] Conversion from string "" to type 'Boolean' is not valid

问题描述

我在ASP.NET的登录表单中的标题中收到错误消息，有人知道如何解决吗?非常感谢您的帮助

I am getting the error message in the title on my login form in ASP.NET does anyone know what how i can sort it out? help is much appreciated

Protected Sub Button1_Click(ByVal sender As Object, ByVal e As EventArgs) Handles Button1.Click
  Dim conn As New MySqlConnection

  conn.ConnectionString = ("server=localhost;port=3307;user=user;password=password;database=DB;")

  Try

    Dim SQL As String = "select * from users3 where uname = '" & txtUName.Text & "' AND password = '" & txtPwd.Text & "'"

    conn.Open()

    Dim cmd As New MySqlCommand(SQL, conn)
    Dim reader As MySqlDataReader = cmd.ExecuteReader

        reader.Read()
        Dim isValidLogin As Boolean
        Boolean.TryParse(reader.GetValue(1), isValidLogin)

        If isValidLogin Then
            Session("UserName") = txtUName.Text
      Response.Redirect("REGISTERPROP.aspx")
    Else
      Response.Write("Invalid Login")
    End If

  Catch ex As Exception
    Response.Write("An Error Occurred: " & ex.Message.ToString())
  End Try
End Sub

推荐答案

好吧，该消息几乎是不言自明的.您正在尝试将空(nil)字符串转换为布尔值. Boolean 的唯一有效字符串值为(不区分大小写) true 和 false .但是您还有其他问题.

Well, the message is pretty much self-explanatory. You're trying convert an empty (nil) string into a boolean. The only valid string values for Boolean are (case-insensitive) true and false. You have other problems though.

• 如果未找到用户/密码，则查询返回0行(空集)，如果未找到用户/密码，则查询返回1行(大概).但是，您不是在检查 Read()方法的返回值:如果读取了一行，它将返回 true ，否则返回 false .您的查询仅在成功匹配时返回一行:您应先进行检查，然后再尝试从中检索数据.

• Your query returns 0 rows (the empty set) if the user/password is not found, and (presumably) 1 row if the user/password is found. However, you are not checking the return values from the Read() method: it returns true if a row was read and false otherwise. You query only returns a row on a successful match: You should check that prior to trying to retrieve data from it.

此外，您的查询具有 SQL注入漏洞.考虑使用参数化查询或存储过程.如果有人在密码字段中键入(或简单地将其输入)回您的页面，您会怎么办?

Further, your query has a SQL Injection vulnerability. Consider using parameterized queries or stored procedures. What do you think might happen if somebody types (or simply posts) this back to your page for the password field:

; drop table users3 ;

似乎您在数据库中以明文形式存储密码.结合使用SQL注入漏洞，您很容易遭受系统和用户的威胁.考虑使用诸如SHA-256之类的安全哈希算法对密码加盐并对加盐的密码进行哈希处理.p>

It appears you're storing passwords in the clear in your database. In conjunction with your SQL Injection vulnerability, you leave yourself wide open to having your system and users compromised. Consider salting the passwords and hashing the salted password using a secure hashing algorithm like SHA-256.

将查询更改为

`select 'true' from user3 where ...`

并使用 DbReader.ExecuteScalar() ，它返回结果集第一行的第一列；如果结果集为空，则返回 null .然后您的逻辑变得更简单，就像

And execute it using DbReader.ExecuteScalar(), which returns the first column of the first row of the result set or null if the result set is empty. Then your logic becomes simpler, something like

Dim isValidLogin = cmd.ExecuteScalar()
If isValidLogin IsNot Nothing And isValidLogin Then
  Session("UserName") = txtUName.Text
  Response.Redirect("REGISTERPROP.aspx")
Else
  Response.Write("Invalid Login")
End If

这篇关于从字符串&“&"转换键入' Boolean'无效的的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！