asp.net - VB.NET - ASP.NET - 用户名/密码不正确（验证）

Question

谁能从代码中告诉我代码有什么问题？

如果用户名和密码不匹配，lbl 文本应显示“用户名/密码不正确”。

代码：

Protected Sub btnLogin_Click(sender As Object, e As System.EventArgs) Handles btnLogin.Click

        Dim conn As New OleDbConnection("Provider=Microsoft.Jet.OLEDB.4.0;Data Source=C:\Users\Brian\Documents\Visual Studio 2010\WebSites\PetLandia\App_Data\db.mdb")
        Dim cmd As OleDbCommand = New OleDbCommand("SELECT * FROM [User] where Username=? and Password=?", conn)

        cmd.Parameters.AddWithValue("@Username", txtLogin.Text)
        cmd.Parameters.AddWithValue("@Password", txtPassword.Text)




        If (String.IsNullOrEmpty(txtLogin.Text)) Or (String.IsNullOrEmpty(txtPassword.Text)) Then

            lblLoginError.Text = "One or more fields are empty. Please fill in all the fields"
            lblLoginError.Visible = True

        Else

            conn.Open()
            Dim read As OleDbDataReader = cmd.ExecuteReader()

            Try

                If read.HasRows Then

                    While read.Read()

                        If txtLogin.Text = read.Item("username").ToString And txtPassword.Text = read.Item("password").ToString Then


                            Dim tUsername As String = read.Item("Username").ToString

                            Session("Username") = tUsername
                            Response.Redirect("Default.aspx")


                        End If
                    End While
                End If

                read.Close()
            Catch ex As Exception
                Response.Write(ex.Message())
                lblLoginError.Text = "Incorrect Username/Password."
                lblLoginError.Visible = True

            Finally
                conn.Close()
            End Try


        End If

    End Sub

Answer 1

而不是catch写入Elseif 语句

Answer 2

你可以试试这段代码。这段代码没有Try Catch块。

    Protected Sub btnLogin_Click(sender As Object, e As System.EventArgs) Handles btnLogin.Click

         If (String.IsNullOrEmpty(txtLogin.Text)) Or (String.IsNullOrEmpty(txtPassword.Text)) Then
            lblLoginError.Text = "One or more fields are empty. Please fill in all the fields"
            lblLoginError.Visible = True

         Else
            Dim conn As New OleDbConnection("Provider=Microsoft.Jet.OLEDB.4.0;Data Source=C:\Users\Brian\Documents\Visual Studio 2010\WebSites\PetLandia\App_Data\db.mdb")
            Dim cmd As OleDbCommand = New OleDbCommand("SELECT * FROM [User] where Username=? and Password=?", conn)
            cmd.Parameters.AddWithValue("@Username", txtLogin.Text)
            cmd.Parameters.AddWithValue("@Password", txtPassword.Text)
            conn.Open()
            Dim read As OleDbDataReader = cmd.ExecuteReader()     
                    If read.HasRows Then
                       read.Read()
                       Session("Username") = read.Item("Username").ToString
                       read.Close()
                       conn.Close() 'Close connection before Redirecting.
                       Response.Redirect("Default.aspx")    
                    Else
                      read.Close()
                      conn.Close()
                      lblLoginError.Text = "Incorrect Username/Password."
                      lblLoginError.Visible = True

                    End If
            End If
        End Sub

Answer 3

您不需要从数据库中返回用户名和密码，因为您已经拥有它们。您只需要计算匹配的条目。这大大简化了它。此外，正如 jams 所示，最好在对数据库进行任何操作之前对用户名和密码字段中的值进行测试：

If (String.IsNullOrEmpty(txtLogin.Text)) OrElse (String.IsNullOrEmpty(txtPassword.Text)) Then

    lblLoginError.Text = "One or more fields are empty. Please fill in all the fields"
    lblLoginError.Visible = True

Else

    Dim ok As Integer = 0

    Using conn = New OleDbConnection("Provider=Microsoft.Jet.OLEDB.4.0;Data Source=C:\Users\Brian\Documents\Visual Studio 2010\WebSites\PetLandia\App_Data\db.mdb")
        Dim cmd As OleDbCommand = New OleDbCommand("SELECT COUNT(*) FROM [User] where Username=? and Password=?", conn)

        cmd.Parameters.AddWithValue("@Username", txtLogin.Text)
        cmd.Parameters.AddWithValue("@Password", txtPassword.Text)

        conn.Open()
        ok = CInt(cmd.ExecuteScalar())
        conn.Close()
    End Using

    If ok = 0 Then
        ' credentials incorrect
    Else
        ' credentials correct
    End If

End If

Answer 4

您编写它的方式，“不正确的用户名/密码”只会在抛出异常时显示。

如果你想使用你编写的代码，添加一个 ELSE：

If txtLogin.Text = read.Item("username").ToString And txtPassword.Text = read.Item("password").ToString Then


                        Dim tUsername As String = read.Item("Username").ToString

                        Session("Username") = tUsername
                        Response.Redirect("Default.aspx")
else
throw new exception("Incorrect Username/Password")
End If

Answer 5

1. 您决定推出自己的安全措施，导致...
2. 您似乎以纯文本形式存储密码，这是一个巨大的安全漏洞和潜在的责任来源。
3. If read.HasRows如果传递的用户名和密码在数据库中不存在，则为 false。即，它不会抛出异常，它只会不返回任何行。
4. 你没有调用Dispose一次性物品。
5. ExecuteScalar简单地调用withSelect Count(*)来查看结果是否大于零会更快。

---

Dim authenticationFailed As Boolean = String.IsNullOrEmpty(txtLogin.Text) _ 
    OrElse String.IsNullOrEmpty(txtPassword.Text)

If Not authenticationFailed Then
    Dim connString = "Provider=Microsoft.Jet.OLEDB.4.0..."
    Using conn = New OleDbConnection(connString)
        Const sql As String = "Select Count(*) From [User] Where Username=? and Password=?"
        conn.Open()
        Using cmd = New OleDbCommand(sql, conn)
            cmd.Parameters.AddWithValue("@Username", txtLogin.Text)
            cmd.Parameters.AddWithValue("@Password", txtPassword.Text)

            Try
                Dim result = cmd.ExecuteScalar(CommandBehavior.CloseConnection)
            Catch generatedExceptionName As SqlException
                authenticationFailed = True
            End Try

            authenticationFailed = authenticationFailed _ 
                OrElse Convert.ToInt32(result) <> 1

            If Not authenticationFailed Then
                Session("Username") = txtLogin.Text
            End If
        End Using

        conn.Close()
    End Using
End If

If authenticationFailed Then
    lblLoginError.Text = "Incorrect username and password"
    lblLoginError.Visible = True
End If