我做了一个登录页面,但是怎么登陆成功与否都直接转向loginFail.htm页面,就是我数据库里面有cyx用户和密码cyx,但是还是提示登陆失败页面loginFail.htm,顺便问下,我下面的登陆界面是不是不安全的登陆,如果是安全的登陆界面应该如何写呢???谢谢!!!! private void Page_Load(object sender, System.EventArgs e)
{
// 在此处放置用户代码以初始化页面
string userName=Request.Form["userName"];
string userPwd=Request.Form.Get("userPwd");
SqlConnection con=new SqlConnection("server=.;database=Northwind;uid=sa;pwd=12345");
con.Open();
SqlCommand cmd=new SqlCommand("select count(*) from login where userName='"+userName+"'and userPwd='"+userPwd+"'",con);
int count=Convert.ToInt32(cmd.ExecuteScalar());
if(count>0)
{
Response.Redirect("main.aspx");
}
else
{
Response.Redirect("loginFail.htm");
}
}
{
// 在此处放置用户代码以初始化页面
string userName=Request.Form["userName"];
string userPwd=Request.Form.Get("userPwd");
SqlConnection con=new SqlConnection("server=.;database=Northwind;uid=sa;pwd=12345");
con.Open();
SqlCommand cmd=new SqlCommand("select count(*) from login where userName='"+userName+"'and userPwd='"+userPwd+"'",con);
int count=Convert.ToInt32(cmd.ExecuteScalar());
if(count>0)
{
Response.Redirect("main.aspx");
}
else
{
Response.Redirect("loginFail.htm");
}
}
可以用
int count=(int)(cmd.ExecuteScalar();是不安全,你可以用下面的帐号和密码试试:
' or 'a'='a
' or 'a'='a
int count=(int)(cmd.ExecuteScalar();另外,这个代码很不安全,看看有关SQL注入攻击的资料...
应该用正则把不安全的代码替换掉 如< >等 规定只能输入什么样 的字符当用户输入一些注入攻击代码时 系统就不安全了
例如 string retVal=username;
retVal=retVal.Replace("&","&");
retVal=retVal.Replace("\"",""");
retVal=retVal.Replace("<","<");
retVal=retVal.Replace(">",">");
retVal=retVal.Replace(" "," ");
retVal=retVal.Replace(" "," ");
retVal=retVal.Replace("\t"," ");
retVal=retVal.Replace("\r", "<br>");
userName='"+userName+"'and userPwd='"+userPwd+"'
改成用参数吧写成userName=@userName and userPwd=@userPwd
cmd.Parameters.Add('@userName',type,size).Value=userName.Text;
...............