[英]Getting Data From Sql Server 2008 with C#
I'm trying to make a login facility for Windows Forms Application project. 我正在尝试为Windows Forms Application项目创建一个登录工具。 I'm using Visual Studio 2010 and MS Sql Server 2008. 我正在使用Visual Studio 2010和MS Sql Server 2008。
I referenced this article: http://www.codeproject.com/Articles/4416/Beginners-guide-to-accessing-SQL-Server-through-C 我引用了这篇文章: http : //www.codeproject.com/Articles/4416/Beginners-guide-to-accessing-SQL-Server-through-C
Here is my database table named user: 这是我的名为user的数据库表:
I have TextBox1
for user name , TextBox2
for user password and Button1
for starting login process . 我TextBox1
户名的 TextBox1
, 用户密码的 TextBox2
和用于启动登录过程的 Button1
。 Here is my code for Button1_Click
method: 这是我的Button1_Click
方法的代码:
private void button1_Click(object sender, EventArgs e)
{
string kullaniciAdi; // user name
string sifre; // password
SqlConnection myConn = new SqlConnection();
myConn.ConnectionString = "Data Source=localhost; database=EKS; uid=sa; pwd=123; connection lifetime=20; connection timeout=25; packet size=1024;";
myConn.Open();
try
{
SqlDataReader myReader;
string myQuery = ("select u_password from user where u_name='" + textBox1.Text + "';");
SqlCommand myCommand = new SqlCommand(myQuery,myConn);
myReader = myCommand.ExecuteReader();
while (myReader.Read())
{
sifre = myReader["u_password"].ToString();
}
}
catch (Exception x)
{
MessageBox.Show(x.ToString());
}
myConn.Close();
}
I don't have much experience with C# but i think i'm missing something small to do it right. 我对C#没有多少经验,但我认为我错过了一些小的做法。 Below i share exception message that i catched. 下面我分享了我捕获的异常消息。 Can you show me what i'm missing? 你能告诉我我错过了什么吗? (line 33 is myReader = myCommand.ExecuteReader();
) (第33行是myReader = myCommand.ExecuteReader();
)
Considerin given answers, i updated my try block as in below but it still does not work. 考虑给出答案,我更新了我的尝试块,如下所示,但它仍然无法正常工作。
try
{
SqlDataReader myReader;
string myQuery = ("select u_password from [user] where u_name=@user");
SqlCommand myCommand = new SqlCommand(myQuery, myConn);
myCommand.Parameters.AddWithValue("@user", textBox1.Text);
myReader = myCommand.ExecuteReader();
while (myReader.Read())
{
sifre = myReader["u_password"].ToString();
}
if (textBox2.Text.Equals(sifre))
{
Form2 admnPnl = new Form2();
admnPnl.Show();
}
}
After changing whole code as below by sine's suggestion, screenshot is also below: And i think, somehow i cannot assign password in database to the string sifre. 在通过正弦的建议改变整个代码之后,截图也在下面:我认为,不知何故,我无法将数据库中的密码分配给字符串sifre。
code: 码:
string sifre = "";
var builder = new SqlConnectionStringBuilder();
builder.DataSource = "localhost";
builder.InitialCatalog = "EKS";
builder.UserID = "sa";
builder.Password = "123";
using (var conn = new SqlConnection(builder.ToString()))
{
using (var cmd = new SqlCommand())
{
cmd.Connection = conn;
cmd.CommandText = "select u_password from [user] where u_name = @u_name";
cmd.Parameters.AddWithValue("@u_name", textBox1.Text);
conn.Open();
using (var reader = cmd.ExecuteReader())
{
while (reader.Read())
{
var tmp = reader["u_password"];
if (tmp != DBNull.Value)
{
sifre = reader["u_password"].ToString();
}
}
if (textBox2.Text.Equals(sifre))
{
try
{
AdminPanel admnPnl = new AdminPanel();
admnPnl.Show();
}
catch (Exception y)
{
MessageBox.Show(y.ToString());
}
}
else
{
MessageBox.Show("incorrect password!");
}
}
}
}
User
is a reserved keyword in T-SQL. User
是T-SQL中的保留关键字 。 You should use it with square brackets like [User]
. 你应该使用方括号,如[User]
。
And you should use parameterized sql instead. 你应该使用参数化的sql代替。 This kind of string concatenations are open for SQL Injection attacks. 这种字符串连接对SQL注入攻击是开放的。
string myQuery = "select u_password from [user] where u_name=@user";
SqlCommand myCommand = new SqlCommand(myQuery,myConn);
myCommand.Parameters.AddWithValue("@user", textBox1.Text);
As a general recomendation, don't use reserved keywords for your identifiers and object names in your database. 作为一般推荐, 请勿在数据库中使用保留关键字作为标识符和对象名称。
Try to put user into [ ] because it is a reseved Keyword in T-SQL and use Parameters, your code is open to SQL-Injection! 尝试将用户放入[]因为它是T-SQL中重新创建的关键字并使用参数,您的代码对SQL注入开放!
private void button1_Click(object sender, EventArgs e)
{
var builder = new SqlConnectionStringBuilder();
builder.DataSource = "servername";
builder.InitialCatalog = "databasename";
builder.UserID = "username";
builder.Password = "yourpassword";
using(var conn = new SqlConnection(builder.ToString()))
{
using(var cmd = new SqlCommand())
{
cmd.Connection = conn;
cmd.CommandText = "select u_password from [user] where u_name = @u_name";
cmd.Parameters.AddWithValue("@u_name", textBox1.Text);
conn.Open();
using(var reader = cmd.ExecuteReader())
{
while (reader.Read())
{
var tmp = reader["u_password"];
if(tmp != DBNull.Value)
{
sifre = reader["u_password"].ToString();
}
}
}
}
}
}
User
is a reserved keyword in SQL, you need to do this: User
是SQL中的保留关键字,您需要这样做:
select u_password from [user] where u_name=@user
And as ever, with basic SQL questions, you should always use parameterised queries to prevent people from running any old commands on your DB via a textbox. 与以往一样,对于基本的SQL问题,您应该始终使用参数化查询来阻止人们通过文本框在您的数据库上运行任何旧命令。
SqlCommand myCommand = new SqlCommand(myQuery,myConn);
myCommand.Parameters.AddWithValue("@user", textBox1.Text);
USER is a reserved word in T-SQL USER是T-SQL中的保留字
Try putting [] around reserved words. 尝试将[]放在保留字周围。
string myQuery = ("select u_password from [user] where u_name='" + textBox1.Text + "';");
Change it to something like 把它改成类似的东西
string myQuery = ("select u_password from [user] where u_name='" + textBox1.Text + "';");
Futher to that I recomend you have a look at Using Parameterized queries to prevent SQL Injection Attacks in SQL Server 除此之外,我建议您查看使用参数化查询来防止SQL Server中的SQL注入攻击
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.