using System.Data.SqlClient;string selStr = "select * from AdminUser where uid='" + txtUid.Text + "' and pwd='" + txtPwd.Text + "'"; SqlConnection cnn = new SqlConnection(myClass.cnnStr);
cnn.Open();
SqlCommand cmd = new sqlCommand(selStr, cnn);
SqlDataReader dr = cmd.ExecuteReader();
if (dr.HasRows == true)
{
dr.Read();
Session["success"] = "successed";
Session["pow"] = dr.GetValue(3);
if (Session["pow"].ToString() == "1") visibleControl(true);
Session["userId"] = txtUid.Text;
Panel1.Visible =false;
}
else
{
Response.Write("<script>alert('用户名或密码错误!')</script>");
}
这样改就可以了, 另外 这里没有你说的存储过程啊~~~
cnn.Open();
SqlCommand cmd = new sqlCommand(selStr, cnn);
SqlDataReader dr = cmd.ExecuteReader();
if (dr.HasRows == true)
{
dr.Read();
Session["success"] = "successed";
Session["pow"] = dr.GetValue(3);
if (Session["pow"].ToString() == "1") visibleControl(true);
Session["userId"] = txtUid.Text;
Panel1.Visible =false;
}
else
{
Response.Write("<script>alert('用户名或密码错误!')</script>");
}
这样改就可以了, 另外 这里没有你说的存储过程啊~~~
如 oledbCommand --》sqlCommand
{
SqlCommand cmd = new SqlCommand(sql, conn);
cmd.Parameters.AddWithValue("@Name", "");
conn.Open();
SqlDataReader dtr =cmd.ExecuteReader(CommandBehavior.CloseConnection);
while(dr.Read())
{ }
conn.Close(); }
asp.net提供了参数化的查询,岂能不用.
安全是永远的需求.像下面这种拼的SQL,而且还是从"AdminUser",能瞬间被秒string selStr = "select * from AdminUser where uid='" + txtUid.Text + "' and pwd='" + txtPwd.Text + "'";