-2

我是 .Net 技术的初学者。我想开发一个带有用户名、密码和按钮组件的 Web 应用程序、登录模块。我有问题。所以请帮助我正确地做登录模式。

登录模块设计

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.SqlClient;
using System.Data;
using System.Configuration;


namespace WebApplication2_loginPageTest
{
public partial class _Default : System.Web.UI.Page
{

    protected void btnlogin_Click(object sender, EventArgs e)
    {
        SqlConnection con = new SqlConnection("DataBase=SOUMENROY-PC;Server=(local)");
        SqlDataAdapter da ;
        string mSql = " Select * from login1 where username = '" + tbusername.Text +   
 "' + and password = '" +  tbpassword.Text + "' ";
        da = new SqlDataAdapter(mSql, con);
        con.Open();
        DataSet ds = new DataSet();
        da.Fill(ds);
        if (ds.Tables[0].Rows.Count > 0)
        {
            Response.Write("<Script> alert (uid & pass taken.)</script>");
        }
        else 
        {
            Response.Write("<Script> alert (uid & pass ok.)</script>");
        }




    }
 }
 }
4

1 回答 1

1

在我们等待有关您所面临问题的更多信息时,我想指出您的查询目前容易受到 SQL 注入的攻击。这是我将如何重写它:

using(var con = new SqlConnection("DataBase=SOUMENROY-PC;Server=(local)"))
using (var cmd = new SqlCommand("select count(*) from login1 where username = @username and password = @password", con))
{
    cmd.Parameters.AddWithValue("@username", username);
    cmd.Parameters.AddWithValue("@password", password);

    con.Open();
    var result = (int)cmd.ExecuteScalar();

    if (result > 0)
    {
        // credentials are valid
    }
}

如果您需要任何澄清,请告诉我。

于 2013-11-13T05:04:45.653 回答