using System;
using System.Data;
using System.Configuration;
using System.Collections;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;
using System.Data.SqlClient; public partial class login : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
}
protected void postuser_Click(object sender, EventArgs e)
{
SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.AppSettings["conn"]);
con.Open();
string cmdstr = "select * from h_p_companyuser where h_p_username='"+uname.Text.Trim()+"' and h_p_password='"+upass.Text.Trim()+"'";
SqlCommand command = new SqlCommand(cmdstr,con);
int i = (int)command.ExecuteScalar();
try
{
if (i>0)
{
Session["username"] = uname.Text;
Response.Redirect("logincheck.aspx");
}
else
{
errers.Text = "用户名或密码错误!";
}
}
catch
{
errers.Text = "数据库连接错误!!";
}
finally
{
con.Close();
}
}
}
using System.Data;
using System.Configuration;
using System.Collections;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;
using System.Data.SqlClient; public partial class login : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
}
protected void postuser_Click(object sender, EventArgs e)
{
SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.AppSettings["conn"]);
con.Open();
string cmdstr = "select * from h_p_companyuser where h_p_username='"+uname.Text.Trim()+"' and h_p_password='"+upass.Text.Trim()+"'";
SqlCommand command = new SqlCommand(cmdstr,con);
int i = (int)command.ExecuteScalar();
try
{
if (i>0)
{
Session["username"] = uname.Text;
Response.Redirect("logincheck.aspx");
}
else
{
errers.Text = "用户名或密码错误!";
}
}
catch
{
errers.Text = "数据库连接错误!!";
}
finally
{
con.Close();
}
}
}
and h_p_password=@password";
SqlCommand command = new SqlCommand(cmdstr,con);
sqlparameter para1=new ();
para1.value=textbox1.text;
sqlparameter para2=new ();
para2.value=textbox2.text;
command.paramerter.add(para1);
command.paramerter.add(para2);
int i = (int)command.ExecuteScalar();
try
{
if (i>0)
{
Session["username"] = uname.Text;
Response.Redirect("logincheck.aspx");
}
else
{
errers.Text = "用户名或密码错误!";
}
}
catch
{
errers.Text = "数据库连接错误!!";
}
finally
{
con.Close();
}
1.存储过程
2.不安全字符过滤(replace方法)
3.比较加密字符串(用户名可以算定义加密算法,密码可以用ha1,md5系统有这两个算法的直接引用)
para1.value=uname.Text;
sqlparameter para2=new();
para2.value=upass.Text;
command.paramerter.add(para1);
command.paramerter.add(para2);这几句是 什么意思 sqlparameter para1=new();
sqlparameter para2=new();
为什么总报错呢?
下面自己改
参数化查询,就可以放在注入