CREATE PROCEDURE UserLogin @UserID varchar(10) , @Password varchar(10), @OptDescription varchar(50) output AS select UserID from Users where UserID = @UserID if (@@RowCount<1) begin ----1 set @OptDescription ='noUser' set @UserID=0 end------1 else begin ----2 SELECT UserID FROM Users WHERE (UserID = @UserID) AND (Password = @Password ) if (@@RowCount<1) begin -----3 set @OptDescription ='UserError' set @UserID=0 end-------3 else begin -----4 set @OptDescription='access' end ------4 end------2 RETURN GO
用户和密码认证?不就是一条SQL语句的问题吗 select * from user1 where username =textbox1.text and code=textbox2.text 执行后得到结果集中行数大于1验证通过来接分的
用户和密码认证?不就是一条SQL语句的问题吗 select * from user1 where username =textbox1.text and code=textbox2.text 执行后得到结果集中行数大于1验证通过 来接分的这样很容易造成注入式攻击,别人在用户名输入 'or 1=1 保证让正常进入你的系统
SqlCommand cmd=new SqlCommand("select * from user1 where username=@u1 and code=@u2",con);
cmd.Parameters.AddWithValue("@u1",textBox1.Text);
cmd.Parameters.AddWithValue("@u2",textBox2.Text);
con.Open();
SqlDataReader read =cmd.ExecuteReader();
if(read.Read())
{
MessageBox.Show("存在");}
else
{
MessageBox.Show("不存在");}
con.Close();
SqlCommand com = new SqlCommand();
com.CommandText = "Select * from Users where UserName='" + tbUserName.Text + "'";
com.CommandType = CommandType.Text;
com.Connection = con;
SqlDataReader reader = com.ExecuteReader();
if (reader.Read())
{
string Password = reader["UserPassword"].ToString();
string strPassword = tbUserPassword.Text;
if (Password == strPassword)
{
Session["uid"] = UserID;
Session["name"] =tbUserName.Text;
Response.Redirect("index.aspx");
}
else
{
Response.Redirect("login.aspx");
}
}
else
{
Response.Redirect("login.aspx");
}
SqlConnection con = new SqlConnection("Server=localhots;uid=THEBESTMAN/fengxiang;pwd=;database=consumer"); SqlCommand cmd=new SqlCommand("select * from user1 where username=@u1 and code=@u2",con);
cmd.Parameters.AddWithValue("@u1",textBox1.Text);
cmd.Parameters.AddWithValue("@u2",textBox2.Text);
con.Open();
SqlDataReader read =cmd.ExecuteReader();
if (read.Read())
{
login();
} else
{
label3.Text = "用户名或者密码输入有误";
}
string str=string.Format("select * from user1 where username={0} and code={1}",textBox.Text,textBox.Text);
//先创建一个sqlconnection类的对象sqlcon
Sqlcommand sqlcom=sqlcon.CreateCommand();
sqlcom.CommandType=CommandType.Text;
sqlcom.CommandText=str.ToString();
try
{
sqlcon.Open();
if(sqlcom.ExecuteNonQuery()==-1)
{
Console.WriteLine("用户密码正确");
}
}
catch
{}
sqlcon.Close();
sqlcon.Dispose();
SqlCommand cmd=new SqlCommand("select * from user1 where username=@u1 and code=@u2",con);
cmd.Parameters.AddWithValue("@u1",textBox1.Text);
cmd.Parameters.AddWithValue("@u2",textBox2.Text);
con.Open();
SqlDataReader read =cmd.ExecuteReader();
if(read.Read())
{
MessageBox.Show("存在"); }
else
{
MessageBox.Show("不存在"); }
con.Close();
SqlCommand cmd=new SqlCommand("select * from user1 where username=@u1 and code=@u2",con);
cmd.Parameters.AddWithValue("@u1",textBox1.Text);
cmd.Parameters.AddWithValue("@u2",textBox2.Text);
con.Open();
SqlDataReader read =cmd.ExecuteReader();
if(read.Read())
{
MessageBox.Show("存在");}
else
{
MessageBox.Show("不存在");}
con.Close();用參數是對的,如果不怕'出現錯誤的話.
SqlCommand com = new SqlCommand();
com.CommandText = "Select * from Users where UserName='" + tbUserName.Text + "'";
com.CommandType = CommandType.Text;
com.Connection = con;
SqlDataReader reader = com.ExecuteReader();
if (reader.Read())
{
string Password = reader["UserPassword"].ToString();
string strPassword = tbUserPassword.Text;
if (Password == strPassword)
{
Session["uid"] = UserID;
Session["name"] =tbUserName.Text;
Response.Redirect("index.aspx");
}
else
{
Response.Redirect("login.aspx");
}
}
else
{
Response.Redirect("login.aspx");
}
简单写了下,不知道有帮助没有,呵呵
CREATE PROCEDURE UserLogin @UserID varchar(10) , @Password varchar(10), @OptDescription varchar(50) output AS select UserID from Users where UserID = @UserID if (@@RowCount<1) begin ----1 set @OptDescription ='noUser' set @UserID=0 end------1 else begin ----2 SELECT UserID FROM Users WHERE (UserID = @UserID) AND (Password = @Password ) if (@@RowCount<1) begin -----3 set @OptDescription ='UserError' set @UserID=0 end-------3 else begin -----4 set @OptDescription='access' end ------4 end------2 RETURN GO