如何从C＃中的数据库中获取用户名和密码？

Question

I have the following code in my btn_click event:

Sqlconnection con = new Sqlconnection("server=.;database=bss;user id=ab;pwd=ab");
con.open();
SqlCommand cmd = new Sqlcommand("select * from login where username='" 
+ txt4name.Text + "' and pwd='" + txt4pwd.Text + "'", con);

SqlDataReader reader = cmd.execute Reader();

Where login is the table and username and pwd are its fields. After this code all the values are stored in the reader object. I want to store username and pwd in the separate variables.

How can I accomplish this?

Answer 1

In general, when accessing your DB, you should be using something similar to this instead to eliminate SQL injection vulnerabilities:

using (SqlCommand myCommand = new SqlCommand("SELECT * FROM USERS WHERE USERNAME=@username AND PASSWORD=HASHBYTES('SHA1', @password)", myConnection))
    {                    
        myCommand.Parameters.AddWithValue("@username", user);
        myCommand.Parameters.AddWithValue("@password", pass);

        myConnection.Open();
        SqlDataReader myReader = myCommand.ExecuteReader())
        ...................
    }

But more realistically to store credentials, you should be using something like the Membership system instead of rolling your own.

Answer 2

You're running a huge risk of sql injection with that. Use SQL Parameters for values into SqlCommands.

Answer 3

If you mean c# variables, and if you want to get them from db, just do this:

SqlDataReader reader = cmd.execute Reader();
if (reader.Read())
{
    string username = reader["username"];
    string pwd = reader["password"];
}

While you are at it, parameterize your query and prevent sql injection:

SqlCommand cmd = new Sqlcommand("select * from login where username=@username and pwd=@pwd", con);
cmd.Parameters.AddWithValue("@username", txt4name.Text);
cmd.Parameters.AddWithValue("@pwd", txt4pwd.Text);

Answer 4

Definitely heed the advice about SQL injection but here is the answer to your question:

String username;
String pwd;

int columnIndex = reader.GetOrdinal("username");

if (!dataReader.IsDBNull(columnIndex))
{
    username = dataReader.GetString(columnIndex);
}

columnIndex = reader.GetOrdinal("pwd");

if (!dataReader.IsDBNull(columnIndex))
{
    pwd = dataReader.GetString(columnIndex);
}

Answer 5

private void but_login_Click(object sender, EventArgs e)
{
    string cn = "Data Source=.;Initial Catalog=mvrdatabase;Integrated Security=True";
    SqlConnection con = new SqlConnection(cn);
    con.Open();
    SqlCommand cmd = new SqlCommand("select count (*) from logintable where username ='" + txt_uname.Text + "'and password='" + txt_pass.Text + "'", con);
    int i = Convert.ToInt32(cmd.ExecuteScalar());
    con.Close();

    if (i == 1)
    {
        Form2 f2 = new Form2();
        MessageBox.Show("User login successfully........");
        this.Hide();
        f2.Show();
    }
    else
    {
        MessageBox.Show("INCORRECT USERID AND PASSWORD", "Error");
    }
}

Answer 6

string userName =  txt4name.Text;
string password =  txt4pwd.Text;

Is that really what you want? Just to get that data into variables?

Answer 7

You really need to use parameterized SQL. There's an example here Furthermore, your question doesn't really make sense; you want the username and password in seperate variables? they already are seperate in your example. If you are unable to assign them to strings I suggest following some tutorials .

Answer 8

Another approach is to load the reader results into a DataTable like so:

DataTable Result = new DataTable();

Result.Load(reader);

If your login table only contains two columns (userName and password) that are unique you end up with Result containing only one row with the information. You can then get the column values from each column:

string userName = Result.Rows[0].Field<string>("userName");
string password = Result.Rows[0].Field<string>("pwd");

Answer 9

您通常可以在MSDN上找到基本用法示例，例如SqlDataReader 。