3

我正在尝试为 Windows 窗体应用程序项目创建一个登录工具。我正在使用 Visual Studio 2010 和 MS Sql Server 2008。

我引用了这篇文章: http: //www.codeproject.com/Articles/4416/Beginners-guide-to-accessing-SQL-Server-through-C

这是我的名为 user 的数据库表: 在此处输入图像描述

TextBox1 有用户名TextBox2 用户密码Button1 启动登录过程。这是我的Button1_Click方法代码:

private void button1_Click(object sender, EventArgs e)
{
    string kullaniciAdi; // user name
    string sifre; // password

    SqlConnection myConn = new SqlConnection();
    myConn.ConnectionString = "Data Source=localhost; database=EKS; uid=sa; pwd=123; connection lifetime=20; connection timeout=25; packet size=1024;";
    myConn.Open();
    try 
    {
        SqlDataReader myReader;
        string myQuery = ("select u_password from user where u_name='" + textBox1.Text + "';");
        SqlCommand myCommand = new SqlCommand(myQuery,myConn);
        myReader = myCommand.ExecuteReader();
        while (myReader.Read())
        {
            sifre = myReader["u_password"].ToString();
        }
    }
    catch (Exception x) 
    {
        MessageBox.Show(x.ToString());
    }
    myConn.Close();
}

我对 C# 没有太多经验,但我认为我错过了一些小事来做对。下面我分享我捕获的异常消息。你能告诉我我错过了什么吗?(第 33 行是myReader = myCommand.ExecuteReader();

在此处输入图像描述

考虑到给出的答案,我更新了我的尝试块,如下所示,但它仍然不起作用。

try
{
    SqlDataReader myReader;
    string myQuery = ("select u_password from [user] where u_name=@user");
    SqlCommand myCommand = new SqlCommand(myQuery, myConn);
    myCommand.Parameters.AddWithValue("@user", textBox1.Text);
    myReader = myCommand.ExecuteReader();
    while (myReader.Read())
    {
        sifre = myReader["u_password"].ToString();
    }

    if (textBox2.Text.Equals(sifre))
    {
        Form2 admnPnl = new Form2();
        admnPnl.Show();
    }
}

根据 sine 的建议如下更改整个代码后,屏幕截图如下: 而且我认为,不知何故,我无法将数据库中的密码分配给字符串 sifre。

代码:

string sifre = "";
var builder = new SqlConnectionStringBuilder();
builder.DataSource = "localhost";
builder.InitialCatalog = "EKS";
builder.UserID = "sa";
builder.Password = "123";

using (var conn = new SqlConnection(builder.ToString()))
{
    using (var cmd = new SqlCommand())
    {
        cmd.Connection = conn;
        cmd.CommandText = "select u_password from [user] where u_name = @u_name";
        cmd.Parameters.AddWithValue("@u_name", textBox1.Text);
        conn.Open();

        using (var reader = cmd.ExecuteReader())
        {
            while (reader.Read())
            {
                var tmp = reader["u_password"];
                if (tmp != DBNull.Value)
                {
                    sifre = reader["u_password"].ToString();
                }
            }

            if (textBox2.Text.Equals(sifre))
            {
                try
                {
                    AdminPanel admnPnl = new AdminPanel();
                    admnPnl.Show();
                }
                catch (Exception y)
                {
                    MessageBox.Show(y.ToString());
                }
            }
            else
            {
                MessageBox.Show("incorrect password!");
            }
        }
    }
}

在此处输入图像描述

4

5 回答 5

4

User是 T-SQL 中的保留关键字。您应该将它与方括号一起使用,例如[User].

你应该改用参数化的sql。这种字符串连接对SQL 注入攻击是开放的。

string myQuery = "select u_password from [user] where u_name=@user";
SqlCommand myCommand = new SqlCommand(myQuery,myConn);
myCommand.Parameters.AddWithValue("@user", textBox1.Text);

作为一般建议,不要对数据库中的标识符和对象名称使用保留关键字。

于 2013-09-16T13:59:13.177 回答
2

尝试将 user 放入 [ ],因为它是 T-SQL 中的保留关键字并使用参数,您的代码对 SQL 注入开放!

private void button1_Click(object sender, EventArgs e)
{
    var builder = new SqlConnectionStringBuilder();
    builder.DataSource = "servername";
    builder.InitialCatalog = "databasename";
    builder.UserID = "username";
    builder.Password = "yourpassword";

    using(var conn = new SqlConnection(builder.ToString()))
    {
        using(var cmd = new SqlCommand())
        {
            cmd.Connection = conn;
            cmd.CommandText = "select u_password from [user] where u_name = @u_name";
            cmd.Parameters.AddWithValue("@u_name", textBox1.Text);
            conn.Open();

            using(var reader = cmd.ExecuteReader())
            {
                 while (reader.Read())
                 {
                     var tmp = reader["u_password"];
                     if(tmp != DBNull.Value)
                     {
                         sifre = reader["u_password"].ToString();
                     }
                 }
            }
        }
    }
}
于 2013-09-16T13:59:10.477 回答
1

User is a reserved keyword in SQL, you need to do this:

select u_password from [user]  where u_name=@user

And as ever, with basic SQL questions, you should always use parameterised queries to prevent people from running any old commands on your DB via a textbox.

SqlCommand myCommand = new SqlCommand(myQuery,myConn);
myCommand.Parameters.AddWithValue("@user", textBox1.Text);
于 2013-09-16T13:55:57.030 回答
1

USER is a reserved word in T-SQL

Try putting [] around reserved words.

string myQuery = ("select u_password from [user] where u_name='" + textBox1.Text + "';");
于 2013-09-16T13:56:33.967 回答
1

用户是关键字。

将其更改为类似

string myQuery = ("select u_password from [user] where u_name='" + textBox1.Text + "';");

除此之外,我建议您查看使用参数化查询来防止 SQL Server 中的 SQL 注入攻击

于 2013-09-16T13:57:13.567 回答