3

我正在尝试让我的登录系统正常工作。目前,我认为除了 if 语句条件(如果返回行,则 if 语句为真,否则登录不成功)之外,我已经准备好让它工作的一切。我不确定如何读取返回的行数,我确实尝试使用 ExecuteReader 方法但无法让它工作。感谢任何帮助,谢谢。

代码:

private void btn_login_Click(object sender, EventArgs e)
{
    SqlCeConnection connection = new SqlCeConnection(@"Data Source=C:\\temp\\Project\\WindowsFormsApplication2\\Database.sdf");

    connection.Open();

    SqlCeCommand command = new SqlCeCommand("SELECT * FROM Technician WHERE Name = '" + txt_username.Text + "' AND Password = '" + txt_password.Text + "' ");
    SqlCeDataAdapter dataAdapter = new SqlCeDataAdapter(command);

    if ()
    {
        MessageBox.Show("Login Successful");
        System.Threading.Thread t = new System.Threading.Thread(new System.Threading.ThreadStart(MainMenuForm));
        t.Start();
        this.Close();
    }
    else
    {
        MessageBox.Show("Login Unsuccessful");
        return;
    }

    connection.Close();
}
4

4 回答 4

3

I have changed your code to use a simpler ExecuteScalar that returns the first column of the first row obtained by your query

Of course, it is of extreme importance that you don't write your sql commands concatenating strings because this could fail in spectacular ways. (What if your textboxes contains a single quote and what if your user writes malicious text like this 

using(SqlCeConnection connection = new SqlCeConnection(.....)) 
{
     connection.Open();
     string sqlText = "SELECT Count(*) FROM Technician WHERE Name = @name AND Password=@pwd"
     SqlCeCommand command = new SqlCeCommand(sqlText, connection);
     command.Parameters.AddWithValue("@name", txt_username.Text);
     command.Parameters.AddWithValue("@pwd", txt_password.Text);
     int result = (int)command.ExecuteScalar();
     if (result > 0)
     {
          MessageBox.Show("Login Successful");
          System.Threading.Thread t = new System.Threading.Thread(new System.Threading.ThreadStart(MainMenuForm));
          t.Start();
          this.Close();
     }
     else
     {
           MessageBox.Show("Login Unsuccessful");
           return;
     }
 }

Notice also the using statement, in your previous code you exit from the procedure if no login is found but you forget to close the connection. This could become a big problem during lifetime of your application. The Using statement prevents this

Now I should start talking about the weakness of storing and trasmitting passwords in clear text, but that is another matter

于 2013-04-19T11:38:32.290 回答
2

该方法 ExecuteNonQuery将返回受影响的行数。

int rowsAffected = command.ExecuteNonQuery();
bool userExists = rowsAffected > 0;
if (userExists) // The user exists
{

}

注意:但是您的应用程序容易受到 SQL 注入的攻击。即我可以进入;DROP TABLE Technician文本txt_password框。

您应该改用参数化查询或其他更安全的身份验证方法(例如 ASP.NET 成员资格)。

要使用参数化查询,您可以将其更改CommandText为:

 SqlCeCommand command = new SqlCeCommand("SELECT * FROM Technician WHERE Name=@username AND password=@password";

然后在via中添加参数:

    command.Parameters.AddWithValue("@username", txt_username.Text);  
    command.Parameters.AddWithValue("@password", txt_password.Text);

http://johnhforrest.com/2010/10/parameterized-sql-queries-in-c/

于 2013-04-19T11:36:19.683 回答
0 
    a=1;
    b=1;


 if a=b
    {
    a=c;
    } 
 else
    {
    a=b;
    }

else if
{
MessageBox.Show("Login Unsuccessful");
return i;
于 2013-04-26T11:37:34.893 回答
0

私人无效btn_login_Click(对象发送者,EventArgs e){

SqlConnection connection = new SqlConnection(@"Data Source=C:\\temp\\Project\\WindowsFormsApplication2\\Database.sdf");

connection.Open();

SqlCommand command = new SqlCommand("SELECT * FROM Technician WHERE Name = '" + txt_username.Text + "' AND Password = '" + txt_password.Text + "' ");
int row=command.ExecuteNonQuery();

if (row>0)
{
    MessageBox.Show("Login Successful");
    System.Threading.Thread t = new System.Threading.Thread(new System.Threading.ThreadStart(MainMenuForm));
    t.Start();
    this.Close();
}
else
{
    MessageBox.Show("Login Unsuccessful");
    return;
}

connection.Close();

}

于 2013-04-19T14:42:17.167 回答