btnOlign_Click
{
SqlConnection cn = new SqlConnection("Data Source=LICB;Initial Catalog=pubs;Integrated Security=True");
cn.Open();
SqlCommand cmd = new SqlCommand("select * from users where name='"+TextBox1.Text+"' and '"+txtPassord+"'",cn);
SqlDataReader dr = cmd.ExecuteReader();
if (dr.Read())
{
Response.WriteL("成功");
}
else
Response.Write("错误");
cn.Close();
}
这样的sql登陆方法是不严谨的
只要在txtPassword框中写入 12 'or 1='1就可登陆成功
我的方法是
SqlConnection cn = new SqlConnection("Data Source=LICB;Initial Catalog=pubs;Integrated Security=True");
cn.Open();
SqlCommand cmd = new SqlCommand("select * from users where name='"+TextBox1.Text+"'",cn);
SqlDataReader dr = cmd.ExecuteReader();
if (dr.Read())
{
if (dr["password"].ToString () == TextBox2.Text)
{
Response.Write("登陆成功!");
}
else {
Response.Write("密码出错");
}
}
else
Response.Write("用户名不存在");
cn.Close();
{
SqlConnection cn = new SqlConnection("Data Source=LICB;Initial Catalog=pubs;Integrated Security=True");
cn.Open();
SqlCommand cmd = new SqlCommand("select * from users where name='"+TextBox1.Text+"' and '"+txtPassord+"'",cn);
SqlDataReader dr = cmd.ExecuteReader();
if (dr.Read())
{
Response.WriteL("成功");
}
else
Response.Write("错误");
cn.Close();
}
这样的sql登陆方法是不严谨的
只要在txtPassword框中写入 12 'or 1='1就可登陆成功
我的方法是
SqlConnection cn = new SqlConnection("Data Source=LICB;Initial Catalog=pubs;Integrated Security=True");
cn.Open();
SqlCommand cmd = new SqlCommand("select * from users where name='"+TextBox1.Text+"'",cn);
SqlDataReader dr = cmd.ExecuteReader();
if (dr.Read())
{
if (dr["password"].ToString () == TextBox2.Text)
{
Response.Write("登陆成功!");
}
else {
Response.Write("密码出错");
}
}
else
Response.Write("用户名不存在");
cn.Close();
SqlParameter p = new SqlParameter("@name", SqlDbType.VarChar , 15);
调用Command执行命令是把p添加进去
SqlCommand cmd = new SqlCommand("select count(*) from users where name='"+TextBox1.Text+"' and pws='"+txtPassord+"'",cn);
int count=Convert.ToInt32(cmd.ExecuteScaler());
然后判定count的值