0

执行下面的代码时遇到问题。当我的用户名和密码为真时,我将收到此消息“无效的用户!使用有效的用户名和密码重试”。如果我输入错误的用户名 n 密码,则什么也不会发生(仍然无法进入下一个表单)。

private bool CompareStrings(string string1, string string2)
    {
        return String.Compare(string1, string2, true, System.Globalization.CultureInfo.InvariantCulture) == 0 ? true : false;
    }

    private void button1_Click(object sender, EventArgs e)
    {
        try 
        {
            SqlConnection con = new SqlConnection();
            con.ConnectionString = "Server = blabla; Database = MoinMoun; User Id = Aema; password = 12345";
            con.Open();

            //SqlCommand cmd = new SqlCommand("SELECT username,password FROM Admin WHERE username='" + txtusername.Text + "' and password='" + txtpassword.Text + "'", con);SELECT ISNULL(username,'') AS username, ISNULL(password,'') AS password FROM Admin WHERE username = '" + txtusername.Text + "' and password='" + txtpassword.Text + "'", con


            SqlCommand cmd = new SqlCommand("SELECT username,password FROM Admin WHERE username='" + txtusername.Text + "' and password='" + txtpassword.Text + "'", con);

            SqlDataReader dr = cmd.ExecuteReader();

            string usertext = txtusername.Text;
            string passtext = txtpassword.Text;

            while(dr.Read())
            {

                if(this.CompareStrings(dr["username"].ToString(), usertext) &&
                    this.CompareStrings(dr["password"].ToString(), passtext))
                {
                    Form2 frm = new Form2();
                    frm.Show();
                    this.Hide();                        
                }
                else
                {       
                    MessageBox.Show("Invalid User! Try again with VALID username and password");                        
                }
            }
            dr.Close();
            con.Close();
        }
        catch(Exception ex)
        {
            MessageBox.Show(ex.Message);

        }
    }
4

3 回答 3

0 
private void button1_Click(object sender, EventArgs e)
{
    SqlConnection con = new SqlConnection();
    try
    {
        con.ConnectionString = "Server = blabla; Database = MoinMoun; User Id = Aema; password = 12345";
        con.Open();

        SqlCommand cmd = new SqlCommand("SELECT username,password FROM Admin WHERE username=@userName and password=@passWord", con);
        cmd.Parameters.Add(new SqlParameter("@userName", txtusername.Text));
        cmd.Parameters.Add(new SqlParameter("@passWord", txtpassword.Text));
        SqlDataReader dr = cmd.ExecuteReader();

        if (dr.Read())
        {
            con.Close();
            dr.Close();
            Form2 frm = new Form2();
            frm.Show();
            this.Hide();
        }
        else
        {
            MessageBox.Show("Invalid User! Try again with VALID username and password");
        }
        if (!dr.IsClosed)
            dr.Close();
    }
    catch (Exception ex)
    {
        MessageBox.Show(ex.Message);
    }
    finally
    {
        if (con.State == System.Data.ConnectionState.Open)
            con.Close();
        con.Dispose();
    }
}

由于您已经在查询本身中比较用户名和密码,因此无需再次检查。

用于SqlParameter在执行查询之前验证用户输入,可以防止SQL 注入攻击。

还要始终尝试尽早关闭与 DB 的连接。您需要释放资源使用量。尝试关闭 finally 块中的连接,以确保在离开 try 块之前关闭连接。

于 2013-04-16T04:26:30.527 回答
0

使用这个:

 SqlParameter[] parameters = new SqlParameter[]
                             {
                                 new SqlParameter("@username", txtusername.Text),
                                 new SqlParameter("@pwd", txtpassword.Text)
                             };
SqlCommand cmd = new SqlCommand("SELECT username,password FROM Admin WHERE username=@username and password=@pwd", con);
cmd.Parameters.AddRange(parameters);
于 2013-04-16T04:23:01.317 回答
0

我同意我也将转向 sql 参数解决方案,并且我还将使用 trim 方法修剪您的输入文本以及任何额外的空白。

我还认为需要更多信息,例如 compareStrings 方法代码。比较字符串时,我会使用 .equals() 方法或 String.Compare() 。例如

Usertxt.equals(dr["username"].ToString());
String.Compare(usertxt,Dr["username"].ToString(),false);
于 2013-04-16T04:41:37.663 回答