0

我在WebMethod应用程序的后端创建了以下内容,用户通过前端登录。

[WebMethod]
    public String Login(String userName, String password)
    {

            OleDbConnection connect = new OleDbConnection(connection);
            connect.Open();
            OleDbCommand command = new OleDbCommand("Select * from login where userName='" + userName + "'  and password ='" + password + "'", connect);
            command.CommandType = CommandType.Text;
            OleDbDataAdapter adapter = new OleDbDataAdapter();
            adapter.SelectCommand = command;
            DataSet NSNSet = new DataSet();
            adapter.Fill(NSNSet);

            string username = NSNSet.Tables[0].Rows[0]["firstName"].ToString() + NSNSet.Tables[0].Rows[0]["lastName"].ToString();

            int userID = System.Convert.ToInt16(NSNSet.Tables[0].Rows[0]["UID"].ToString());

            return username + "," + userID;


    }

目前,我有错误处理,其中指出 -

catch(Exception ex)
            {
                string error = System.Convert.ToString(ex);
                if (error.Contains("There is no row at position 0"))
                {
                    status.Text = "Incorrect Username/Password combination";
                }
            }

这工作得很好,但是我怎么能修改我的代码,以便它带回一个更具体的错误,即如果userName或者password特别是不正确的状态?

4

4 回答 4

3

不要透露太多细节,只是给出一个简单的登录错误信息,但不要说用户名不正确或密码不正确,因为黑客可以使用该信息

一个简单的文字说登录不成功应该没问题

于 2012-06-29T10:48:40.957 回答
2

你应该这样做:

public String Login(String userName, String password)
    {
        OleDbConnection connect = new OleDbConnection(connection);
        connect.Open();

        OleDbCommand command = new OleDbCommand("Select UID, firstName, lastName from login where userName=?  and password =?", connect);
        command.CommandType = CommandType.Text;

        //to avoid sql injection
        command.Parameters.Add(userName);
        command.Parameters.Add(password);

        OleDbDataAdapter adapter = new OleDbDataAdapter();
        adapter.SelectCommand = command;
        DataSet NSNSet = new DataSet();
        adapter.Fill(NSNSet);

        if (NSNSet.Tables[0].Rows.Count == 0)
            return "Access denied";

        string username = NSNSet.Tables[0].Rows[0]["firstName"].ToString() + NSNSet.Tables[0].Rows[0]["lastName"].ToString();
        int userID = int.Parse(NSNSet.Tables[0].Rows[0]["UID"].ToString());
        return username + "," + userID;
    }

或者更好的方法,使用 DataReader 来提高性能:

public String Login(String userName, String password)
    {

        OleDbConnection connect = new OleDbConnection(connection);
        connect.Open();

        OleDbCommand command = new OleDbCommand("Select UID, firstName, lastName from login where userName=?  and password =?", connect);
        command.CommandType = CommandType.Text;

        //to avoid sql injection
        command.Parameters.Add(userName);
        command.Parameters.Add(password);

        OleDbDataReader reader=command.ExecuteReader();
        if (reader.Read())
        {
            //that means there's at least one row
            string username = reader["firstName"] + " " + reader["lastName"];
            int userID = int.Parse(reader["UID"].ToString());
            return username + "," + userID;
        }
        else
        {
            //no combination username-password found
            return "Access denied";
        }
    }
于 2012-06-29T11:21:22.893 回答
1

首先,此代码对 SQL 注入开放。其次,如果您想具体知道哪个元素不正确,则必须将查询分解为两个组件(即分别查询用户名和密码)

于 2012-06-29T10:48:17.170 回答
1

您可以将您的选择查询稍微更改为:

"select * from login where userName='"+userName+"'";

如果 DataSet 中没有行,则写入

Invalid UserName

如果用户存在然后检查密码是否匹配如果不匹配然后写

Invalid Password
于 2012-06-29T10:52:43.177 回答