String strSQL="SELECT * FROM 表名 where password=@password"; if(this.CBUserName.Checked){ //用户名被选中 strSQL+=" and username=@value"; }else{ strSQL+=" and idno=@value"; }
if (RadioButton_Uid.Checked == true) { SqlConnection cn = new SqlConnection("Data Source=.;Initial Catalog=zyz;Integrated Security=True"); cn.Open(); SqlCommand cmd = new SqlCommand("select * from org_user where uid='" + TextBox_Uid.Text + "' and pwd='" + TextBox_Pwd.Text + "'", cn); SqlDataAdapter adapter = new SqlDataAdapter(cmd); DataSet ds = new DataSet(); adapter.Fill(ds, "cc"); cn.Close(); if (ds.Tables["cc"].Rows.Count == 1) { Session["uid"] = TextBox_Uid.Text; Session["pwd"] = TextBox_Pwd.Text; Session["org_user"] = "cg"; Response.Redirect("ActivityList.aspx"); } else { Label1.Text = "用户名或密码错误,请重新输入!"; } } else if (RadioButton_IdCard.Checked == true) { SqlConnection cn = new SqlConnection("Data Source=.;Initial Catalog=zyz;Integrated Security=True"); cn.Open(); SqlCommand cmd = new SqlCommand("select * from org_user where contacts_idcard='" + TextBox_Uid.Text + "' and pwd='" + TextBox_Pwd.Text + "'", cn); SqlDataAdapter adapter = new SqlDataAdapter(cmd); DataSet ds = new DataSet(); adapter.Fill(ds, "cc"); cn.Close(); if (ds.Tables["cc"].Rows.Count == 1) { Session["contacts_idcard"] = TextBox_Uid.Text; Session["pwd"] = TextBox_Pwd.Text; Session["org_user"] = "cg"; Response.Redirect("ActivityList.aspx"); } else { Label1.Text = "用户名或密码错误,请重新输入!"; } } 这样对吗?
if (RadioButton_Uid.Checked == true) { SqlConnection cn = new SqlConnection("Data Source=.;Initial Catalog=zyz;Integrated Security=True"); cn.Open(); SqlCommand cmd = new SqlCommand("select * from org_user where uid='" + TextBox_Uid.Text + "' and pwd='" + TextBox_Pwd.Text + "'", cn); SqlDataAdapter adapter = new SqlDataAdapter(cmd); DataSet ds = new DataSet(); adapter.Fill(ds, "cc"); cn.Close(); if (ds.Tables["cc"].Rows.Count == 1) { Session["uid"] = TextBox_Uid.Text; Session["pwd"] = TextBox_Pwd.Text; Session["org_user"] = "cg"; Response.Redirect("ActivityList.aspx"); } else { Label1.Text = "用户名或密码错误,请重新输入!"; } } else if (RadioButton_IdCard.Checked == true) { SqlConnection cn = new SqlConnection("Data Source=.;Initial Catalog=zyz;Integrated Security=True"); cn.Open(); SqlCommand cmd = new SqlCommand("select * from org_user where contacts_idcard='" + TextBox_Uid.Text + "' and pwd='" + TextBox_Pwd.Text + "'", cn); SqlDataAdapter adapter = new SqlDataAdapter(cmd); DataSet ds = new DataSet(); adapter.Fill(ds, "cc"); cn.Close(); if (ds.Tables["cc"].Rows.Count == 1) { Session["contacts_idcard"] = TextBox_Uid.Text; Session["pwd"] = TextBox_Pwd.Text; Session["org_user"] = "cg"; Response.Redirect("ActivityList.aspx"); } else { Label1.Text = "用户名或密码错误,请重新输入!"; } } 这样对吗? 首先这两个radiobutton要绑定在一个组里面,然后就是你这个方式了,顺便说一句,你这个代码人家用SQL注入攻击你就挂了
if(this.CBUserName.Checked){ //用户名被选中
strSQL+=" and username=@value";
}else{
strSQL+=" and idno=@value";
}
{
SqlConnection cn = new SqlConnection("Data Source=.;Initial Catalog=zyz;Integrated Security=True");
cn.Open();
SqlCommand cmd = new SqlCommand("select * from org_user where uid='" + TextBox_Uid.Text + "' and pwd='" + TextBox_Pwd.Text + "'", cn);
SqlDataAdapter adapter = new SqlDataAdapter(cmd);
DataSet ds = new DataSet();
adapter.Fill(ds, "cc");
cn.Close();
if (ds.Tables["cc"].Rows.Count == 1)
{ Session["uid"] = TextBox_Uid.Text;
Session["pwd"] = TextBox_Pwd.Text;
Session["org_user"] = "cg";
Response.Redirect("ActivityList.aspx");
}
else
{
Label1.Text = "用户名或密码错误,请重新输入!";
}
}
else if (RadioButton_IdCard.Checked == true)
{
SqlConnection cn = new SqlConnection("Data Source=.;Initial Catalog=zyz;Integrated Security=True");
cn.Open();
SqlCommand cmd = new SqlCommand("select * from org_user where contacts_idcard='" + TextBox_Uid.Text + "' and pwd='" + TextBox_Pwd.Text + "'", cn);
SqlDataAdapter adapter = new SqlDataAdapter(cmd);
DataSet ds = new DataSet();
adapter.Fill(ds, "cc");
cn.Close();
if (ds.Tables["cc"].Rows.Count == 1)
{ Session["contacts_idcard"] = TextBox_Uid.Text;
Session["pwd"] = TextBox_Pwd.Text;
Session["org_user"] = "cg";
Response.Redirect("ActivityList.aspx");
}
else
{
Label1.Text = "用户名或密码错误,请重新输入!";
}
}
这样对吗?
{
SqlConnection cn = new SqlConnection("Data Source=.;Initial Catalog=zyz;Integrated Security=True");
cn.Open();
SqlCommand cmd = new SqlCommand("select * from org_user where uid='" + TextBox_Uid.Text + "' and pwd='" + TextBox_Pwd.Text + "'", cn);
SqlDataAdapter adapter = new SqlDataAdapter(cmd);
DataSet ds = new DataSet();
adapter.Fill(ds, "cc");
cn.Close();
if (ds.Tables["cc"].Rows.Count == 1)
{ Session["uid"] = TextBox_Uid.Text;
Session["pwd"] = TextBox_Pwd.Text;
Session["org_user"] = "cg";
Response.Redirect("ActivityList.aspx");
}
else
{
Label1.Text = "用户名或密码错误,请重新输入!";
}
}
else if (RadioButton_IdCard.Checked == true)
{
SqlConnection cn = new SqlConnection("Data Source=.;Initial Catalog=zyz;Integrated Security=True");
cn.Open();
SqlCommand cmd = new SqlCommand("select * from org_user where contacts_idcard='" + TextBox_Uid.Text + "' and pwd='" + TextBox_Pwd.Text + "'", cn);
SqlDataAdapter adapter = new SqlDataAdapter(cmd);
DataSet ds = new DataSet();
adapter.Fill(ds, "cc");
cn.Close();
if (ds.Tables["cc"].Rows.Count == 1)
{ Session["contacts_idcard"] = TextBox_Uid.Text;
Session["pwd"] = TextBox_Pwd.Text;
Session["org_user"] = "cg";
Response.Redirect("ActivityList.aspx");
}
else
{
Label1.Text = "用户名或密码错误,请重新输入!";
}
}
这样对吗?
首先这两个radiobutton要绑定在一个组里面,然后就是你这个方式了,顺便说一句,你这个代码人家用SQL注入攻击你就挂了
在aspx中设置RadioButton1,想要单选效果,必须把GroupName设置成一样的。不然跟多选没区别。
在后台再设置Button1_Click事件。
{
SqlConnection cn = new SqlConnection("Data Source=.;Initial Catalog=zyz;Integrated Security=True");
cn.Open();
SqlCommand cmd = new SqlCommand("select * from org_user where uid='" + TextBox_Uid.Text + "' and pwd='" + TextBox_Pwd.Text + "'", cn);
SqlDataAdapter adapter = new SqlDataAdapter(cmd);
DataSet ds = new DataSet();
adapter.Fill(ds, "cc");
cn.Close();
if (ds.Tables["cc"].Rows.Count == 1)
{ Session["uid"] = TextBox_Uid.Text;
Session["pwd"] = TextBox_Pwd.Text;
Session["org_user"] = "cg";
Response.Redirect("ActivityList.aspx");
}
else
{
Label1.Text = "用户名或密码错误,请重新输入!";
}
}
else if (RadioButton_IdCard.Checked == true)
{
SqlConnection cn = new SqlConnection("Data Source=.;Initial Catalog=zyz;Integrated Security=True");
cn.Open();
SqlCommand cmd = new SqlCommand("select * from org_user where contacts_idcard='" + TextBox_Uid.Text + "' and pwd='" + TextBox_Pwd.Text + "'", cn);
SqlDataAdapter adapter = new SqlDataAdapter(cmd);
DataSet ds = new DataSet();
adapter.Fill(ds, "cc");
cn.Close();
if (ds.Tables["cc"].Rows.Count == 1)
{ Session["contacts_idcard"] = TextBox_Uid.Text;
Session["pwd"] = TextBox_Pwd.Text;
Session["org_user"] = "cg";
Response.Redirect("ActivityList.aspx");
}
else
{
Label1.Text = "用户名或密码错误,请重新输入!";
}
}
这样对吗? SqlConnection cn = new SqlConnection("Data Source=.;Initial Catalog=zyz;Integrated Security=True");
cn.Open();
SqlCommand cmd = new SqlCommand("select * from org_user where contacts_idcard='" + TextBox_Uid.Text + "' and pwd='" + TextBox_Pwd.Text + "'", cn);
SqlDataAdapter adapter = new SqlDataAdapter(cmd);
DataSet ds = new DataSet();
adapter.Fill(ds, "cc");
cn.Close();
if (ds.Tables["cc"].Rows.Count == 1)
{ if (RadioButton_Uid.Checked == true)
{
Session["contacts_idcard"] = TextBox_Uid.Text;
}
else
{
Session["pwd"] = TextBox_Pwd.Text;
}
Session["org_user"] = "cg";
Response.Redirect("ActivityList.aspx");
这样是不是更好?
cn.Open();
SqlCommand cmd = new SqlCommand("select * from org_user where contacts_idcard='" + TextBox_Uid.Text + "' and pwd='" + TextBox_Pwd.Text + "'", cn);
SqlDataAdapter adapter = new SqlDataAdapter(cmd);
DataSet ds = new DataSet();
adapter.Fill(ds, "cc");
cn.Close();
if (ds.Tables["cc"].Rows.Count == 1)
{ if (RadioButton_Uid.Checked == true)
{
Session["uid"] = TextBox_Uid.Text;
}
else
{
Session["contacts_idcard"] = TextBox_Uid.Text;
}
Session["pwd"] = TextBox_Pwd.Text;
Session["org_user"] = "cg";
Response.Redirect("ActivityList.aspx");
{
SqlConnection cn = new SqlConnection("Data Source=.;Initial Catalog=zyz;Integrated Security=True");
cn.Open();
SqlCommand cmd = new SqlCommand("select * from org_user where uid='" + TextBox_Uid.Text + "' and pwd='" + TextBox_Pwd.Text + "'", cn);
SqlDataAdapter adapter = new SqlDataAdapter(cmd);
DataSet ds = new DataSet();
adapter.Fill(ds, "cc");
cn.Close();
if (ds.Tables["cc"].Rows.Count == 1)
{ Session["uid"] = TextBox_Uid.Text;
Session["pwd"] = TextBox_Pwd.Text;
Session["org_user"] = "cg";
Response.Redirect("ActivityList.aspx");
}
else
{
Label1.Text = "用户名或密码错误,请重新输入!";
}
}
else if (RadioButton_IdCard.Checked == true)
{
SqlConnection cn = new SqlConnection("Data Source=.;Initial Catalog=zyz;Integrated Security=True");
cn.Open();
SqlCommand cmd = new SqlCommand("select * from org_user where contacts_idcard='" + TextBox_Uid.Text + "' and pwd='" + TextBox_Pwd.Text + "'", cn);
SqlDataAdapter adapter = new SqlDataAdapter(cmd);
DataSet ds = new DataSet();
adapter.Fill(ds, "cc");
cn.Close();
if (ds.Tables["cc"].Rows.Count == 1)
{ Session["contacts_idcard"] = TextBox_Uid.Text;
Session["pwd"] = TextBox_Pwd.Text;
Session["org_user"] = "cg";
Response.Redirect("ActivityList.aspx");
}
else
{
Label1.Text = "用户名或密码错误,请重新输入!";
}
}
这样对吗?
首先这两个radiobutton要绑定在一个组里面,然后就是你这个方式了,顺便说一句,你这个代码人家用SQL注入攻击你就挂了
SqlConnection cn = new SqlConnection("Data Source=.;Initial Catalog=zyz;Integrated Security=True");
cn.Open();
SqlCommand cmd = new SqlCommand("select * from org_user where contacts_idcard='" + TextBox_Uid.Text + "' and pwd='" + TextBox_Pwd.Text + "'", cn);
SqlDataAdapter adapter = new SqlDataAdapter(cmd);
DataSet ds = new DataSet();
adapter.Fill(ds, "cc");
cn.Close();
if (ds.Tables["cc"].Rows.Count == 1)
{ if (RadioButton_Uid.Checked == true)
{
Session["uid"] = TextBox_Uid.Text;
}
else
{
Session["contacts_idcard"] = TextBox_Uid.Text;
}
Session["pwd"] = TextBox_Pwd.Text;
Session["org_user"] = "cg";
Response.Redirect("ActivityList.aspx");
这样会不会挂
{
SqlConnection cn = new SqlConnection("Data Source=.;Initial Catalog=zyz;Integrated Security=True");
cn.Open();
SqlCommand cmd = new SqlCommand("select * from org_user where uid='" + TextBox_Uid.Text + "' and pwd='" + TextBox_Pwd.Text + "'", cn);
SqlDataAdapter adapter = new SqlDataAdapter(cmd);
DataSet ds = new DataSet();
adapter.Fill(ds, "cc");
cn.Close();
if (ds.Tables["cc"].Rows.Count == 1)
{ Session["uid"] = TextBox_Uid.Text;
Session["pwd"] = TextBox_Pwd.Text;
Session["org_user"] = "cg";
Response.Redirect("ActivityList.aspx");
}
else
{
Label1.Text = "用户名或密码错误,请重新输入!";
}
}
else if (RadioButton_IdCard.Checked == true)
{
SqlConnection cn = new SqlConnection("Data Source=.;Initial Catalog=zyz;Integrated Security=True");
cn.Open();
SqlCommand cmd = new SqlCommand("select * from org_user where contacts_idcard='" + TextBox_Uid.Text + "' and pwd='" + TextBox_Pwd.Text + "'", cn);
SqlDataAdapter adapter = new SqlDataAdapter(cmd);
DataSet ds = new DataSet();
adapter.Fill(ds, "cc");
cn.Close();
if (ds.Tables["cc"].Rows.Count == 1)
{ Session["contacts_idcard"] = TextBox_Uid.Text;
Session["pwd"] = TextBox_Pwd.Text;
Session["org_user"] = "cg";
Response.Redirect("ActivityList.aspx");
}
else
{
Label1.Text = "用户名或密码错误,请重新输入!";
}
}
这样对吗?
首先这两个radiobutton要绑定在一个组里面,然后就是你这个方式了,顺便说一句,你这个代码人家用SQL注入攻击你就挂了
SqlConnection cn = new SqlConnection("Data Source=.;Initial Catalog=zyz;Integrated Security=True");
cn.Open();
SqlCommand cmd = new SqlCommand("select * from org_user where contacts_idcard='" + TextBox_Uid.Text + "' and pwd='" + TextBox_Pwd.Text + "'", cn);
SqlDataAdapter adapter = new SqlDataAdapter(cmd);
DataSet ds = new DataSet();
adapter.Fill(ds, "cc");
cn.Close();
if (ds.Tables["cc"].Rows.Count == 1)
{ if (RadioButton_Uid.Checked == true)
{
Session["uid"] = TextBox_Uid.Text;
}
else
{
Session["contacts_idcard"] = TextBox_Uid.Text;
}
Session["pwd"] = TextBox_Pwd.Text;
Session["org_user"] = "cg";
Response.Redirect("ActivityList.aspx");
这样会不会挂
一样的,人家一旦发动SQL注入攻击你就挂了。
SqlCommand cmd = new SqlCommand("select * from org_user where contacts_idcard='" + TextBox_Uid.Text + "' and pwd='" + TextBox_Pwd.Text + "'", cn);
这一句里面的TextBox_Uid.Text和TextBox_Pwd.Text就是攻击源,你把文本框里面的东西直接给发往数据库查询了,人家在那里面写攻击代码你就挂了。